switch over to tunable_policy and optional_policy

refpolicy/policy/modules/kernel/bootloader.te

@@ -157,13 +157,13 @@ optional_policy(`fsadm.te', `
 filesystemtools_execute(bootloader_t)
 ')
 
-ifdef(`distro_debian', `
+tunable_policy(`distro_debian', `
 allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
 allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
 allow bootloader_t boot_t:file relabelfrom;
 ')
 
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 files_make_mountpoint(bootloader_tmp_t)
 
 # for mke2fs
@@ -204,7 +204,7 @@ allow lvm_t bootloader_tmp_t:file rw_file_perms;
 r_dir_file(bootloader_t, lvm_etc_t)
 ')
 
-ifdef(`distro_debian', `
+tunable_policy(`distro_debian', `
 allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
 allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
 allow bootloader_t tmpfs_t:dir r_dir_perms;
@@ -216,7 +216,7 @@ allow bootloader_t dpkg_var_lib_t:file { getattr read };
 can_exec(bootloader_t, usr_t)
 ')
 
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 # new file system defaults to file_t, granting file_t access is still bad.
 allow bootloader_t file_t:dir create_dir_perms;
 allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;

refpolicy/policy/modules/system/init.te

@@ -277,7 +277,7 @@ optional_policy(`consoletype.te',`
 consoletype_transition(initrc_t)
 ')
 
-ifdef(`distro_redhat',`
+tunable_policy(`distro_redhat',`
 kernel_set_selinux_enforcement_mode(initrc_t)
 
 files_create_boot_flag(initrc_t)
@@ -308,7 +308,7 @@ allow initrc_t home_type:file r_file_perms;
 allow initrc_t udev_runtime_t:file rw_file_perms;
 
 # for lsof in shutdown scripts
-ifdef(`kerberos.te',`
+optional_policy(`kerberos.te',`
 if (allow_kerberos) {
 can_network_client(initrc_t, `kerberos_port_t')
 can_resolve(initrc_t)
@@ -326,12 +326,12 @@ allow initrc_t device_t:lnk_file unlink;
 #
 #  These rules are here to allow init scripts to su
 #
-ifdef(`su.te', `
+optional_policy(`su.te', `
 su_restricted_domain(initrc,system)
 role system_r types initrc_su_t;
 ')
 
-ifdef(`distro_debian', `
+tunable_policy(`distro_debian', `
 allow initrc_t { etc_t device_t }:dir setattr;
 
 # for storing state under /dev/shm
@@ -339,9 +339,9 @@ allow initrc_t tmpfs_t:dir setattr;
 file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
 file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
 allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
-')
+')dnl end distro_debian
 
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 # Create and read /boot/kernel.h and /boot/System.map.
 # Redhat systems typically create this file at boot time.
 allow initrc_t boot_t:lnk_file rw_file_perms;
@@ -375,7 +375,7 @@ dontaudit initrc_t proc_kmsg_t:file getattr;
 # Run_init local policy
 #
 
-ifdef(`targeted_policy',`
+tunable_policy(`targeted_policy',`
 # targeted/unconfined stuff
 ',`
 corecommands_execute_general_programs(run_init_t)
@@ -426,7 +426,7 @@ files_ignore_search_all_directories(run_init_t)
 
 ifdef(`TODO',`
 
-ifdef(`targeted_policy', `
+tunable_policy(`targeted_policy', `
 domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
@@ -445,7 +445,7 @@ allow run_init_t lib_t:file { getattr read };
 
 ') dnl endif targeted policy
 
-ifdef(`distro_gentoo', `
+tunable_policy(`distro_gentoo', `
 # Gentoo integrated run_init+open_init_pty-runscript:
 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 ')

refpolicy/policy/modules/system/iptables.te

@@ -76,9 +76,11 @@ allow iptables_t userdomain:fd use;
 
 # Access terminals.
 allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
+optional_policy(`gnome-pty-helper.te',`
+allow iptables_t sysadm_gph_t:fd use;
+')
 
-ifdef(`firstboot.te', `
+optional_policy(`firstboot.te', `
 allow iptables_t firstboot_t:fifo_file write;
 ')
 ') dnl ifdef TODO

refpolicy/policy/modules/system/locallogin.te

@@ -75,11 +75,8 @@ allow local_login_t exec_type:{ file lnk_file } r_file_perms;
 # Read /dev directories and any symbolic links.
 allow local_login_t device_t:lnk_file r_file_perms;
 
-ifdef(`pam.te', `
+optional_policy(`authlogin.te',`
 can_exec(local_login_t, pam_exec_t)
-')
-
-ifdef(`pamconsole.te', `
 rw_dir_create_file(local_login_t, pam_var_console_t)
 ')
 
@@ -89,7 +86,7 @@ allow local_login_t autofs_t:dir { search read getattr };
 allow local_login_t mnt_t:dir r_dir_perms;
 
 # FIXME: what is this for?
-ifdef(`xdm.te', `
+optional_policy(`xdm.te', `
 allow xdm_t local_login_t:process signull;
 ')
 
@@ -118,7 +115,7 @@ allow local_login_t mail_spool_t:lnk_file read;
 
 allow local_login_t mouse_device_t:chr_file { getattr setattr };
 
-ifdef(`targeted_policy',`
+tunable_policy(`targeted_policy',`
 unconfined_domain(local_login_t)
 domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
 ')
@@ -153,8 +150,9 @@ allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
 allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
 allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
 
-ifdef(`gpm.te',
-`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
+optional_policy(`gpm.te',`
+allow local_login_t gpmctl_t:sock_file { getattr setattr };
+')
 
 # Allow setting of attributes on sound devices.
 allow local_login_t sound_device_t:chr_file { getattr setattr };

refpolicy/policy/modules/system/logging.te

@@ -120,11 +120,13 @@ filesystem_get_all_filesystems_attributes(syslogd_t)
 init_use_file_descriptors(syslogd_t)
 init_script_use_pseudoterminal(syslogd_t)
 
+domain_use_widely_inheritable_file_descriptors(syslogd_t)
+
 files_read_general_system_config(syslogd_t)
 files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
 files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
 files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
-ifdef(`distro_suse', `
+tunable_policy(`distro_suse', `
 # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
 ')
@@ -153,9 +155,19 @@ kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
 ')
 
+optional_policy(`selinux.te',`
+selinux_newrole_sigchld(syslogd_t)
+')
+
 optional_policy(`udev.te', `
 udev_read_database(syslogd_t)
-')dnl end if udev.te
+')
+
+tunable_policy(`targeted_policy', `
+terminal_ignore_use_general_physical_terminal(syslogd_t)
+terminal_ignore_use_general_pseudoterminal(syslogd_t)
+files_ignore_read_rootfs_file(syslogd_t)
+')
 
 ifdef(`TODO',`
 allow syslogd_t proc_t:dir r_dir_perms;
@@ -163,19 +175,13 @@ allow syslogd_t proc_t:lnk_file read;
 allow syslogd_t null_device_t:chr_file r_file_perms;
 dontaudit syslogd_t unpriv_userdomain:fd use;
 allow syslogd_t autofs_t:dir { search getattr };
-allow syslogd_t privfd:fd use;
 dontaudit syslogd_t sysadm_home_dir_t:dir search;
-ifdef(`newrole.te', `allow syslogd_t newrole_t:process sigchld;')
-ifdef(`rhgb.te', `
+optional_policy(`rhgb.te', `
 allow syslogd_t rhgb_t:process sigchld;
 allow syslogd_t rhgb_t:fd use;
 allow syslogd_t rhgb_t:fifo_file { read write };
 ')
-ifdef(`targeted_policy', `
-dontaudit syslogd_t { tty_device_t devpts_t }:chr_file { read write };
-dontaudit syslogd_t root_t:file { getattr read };
-')dnl end if targeted_policy
-ifdef(`direct_sysadm_daemon', `
+tunable_policy(`direct_sysadm_daemon',`
 dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
 ')
 

refpolicy/policy/modules/system/modutils.te

@@ -88,22 +88,10 @@ miscfiles_read_localization(insmod_t)
 
 logging_send_system_log_message(insmod_t)
 
-define(`insmod_mount_optional_policy',`
+optional_policy(`mount.te',`
 mount_transition(insmod_t)
 ')
 
-########################################
-#
-# Conditional policy logic
-#
-
-ifdef(`monolithic_policy',`
-ifdef(`mount.te',`insmod_mount_optional_policy')
-',`
-optional mount { mount_transition_depend }
-ifopt (consoletype) { insmod_mount_optional_policy }
-') dnl end monolithic_policy
-
 #
 #
 # TODO rules:

refpolicy/policy/modules/system/mount.te

@@ -100,30 +100,30 @@ ifdef(`gnome-pty-helper.te', `
 allow mount_t sysadm_gph_t:fd use;
 ')
 
-ifdef(`distro_redhat',`
-ifdef(`pamconsole.te',`
+tunable_policy(`distro_redhat',`
+optional_policy(`authlogin.te',`
 r_dir_file($2_t,pam_var_console_t)
 # mount config by default sets fscontext=removable_t
 allow $2_t dosfs_t:filesystem relabelfrom;
-') dnl end pamconsole.te
+') dnl end authlogin
 ') dnl end distro_redhat
 
-ifdef(`rhgb.te', `
+optional_policy(`rhgb.te', `
 allow mount_t rhgb_t:process sigchld;
 allow mount_t rhgb_t:fd use;
 allow mount_t rhgb_t:fifo_file { read write };
 ')
 
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 allow mount_t tmpfs_t:chr_file { read write };
 allow mount_t tmpfs_t:dir mounton;
 ')
 
-ifdef(`automount.te', `
+optional_policy(`automount.te', `
 allow mount_t autofs_t:dir read;
 ')
 
-ifdef(`portmap.te', `
+optional_policy(`portmap.te', `
 # for nfs
 can_network(mount_t)
 can_ypbind(mount_t)

refpolicy/policy/modules/system/selinux.te

@@ -343,7 +343,7 @@ allow restorecon_t { userdomain privfd }:fd use;
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
 ')
 

refpolicy/policy/modules/system/selinuxutil.te

@@ -343,7 +343,7 @@ allow restorecon_t { userdomain privfd }:fd use;
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
 ')
 

refpolicy/policy/modules/system/udev.te

@@ -108,7 +108,7 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 dbusd_client(system, udev)
 
 # Ifdefs
-ifdef(`distro_redhat', `
+tunable_policy(`distro_redhat', `
 allow udev_t tmpfs_t:dir rw_dir_perms;
 allow udev_t tmpfs_t:sock_file create_file_perms;
 allow udev_t tmpfs_t:lnk_file create_lnk_perms;
@@ -119,26 +119,26 @@ allow udev_t tmpfs_t:dir search;
 domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
 ') dnl end ifdef distro_redhat
 
-ifdef(`hide_broken_symptoms', `
+tunable_policy(`hide_broken_symptoms', `
 dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
 dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
 ')
 
-ifdef(`xdm.te', `
+optional_policy(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
 
-ifdef(`hotplug.te', `
+optional_policy(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
 ')
 
-ifdef(`pamconsole.te', `
+optional_policy(`authlogin.te', `
 allow udev_t pam_var_console_t:dir search;
 allow udev_t pam_var_console_t:file { getattr read };
-domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
+authlogin_pam_console_transition(udev_t)
 ')
 
-ifdef(`dhcpc.te', `
+optional_policy(`sysnetwork.te', `
 domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
 ')
 ') dnl endif TODO