TODO cleanup

refpolicy/policy/modules/admin/bootloader.te

@@ -207,17 +207,3 @@ optional_policy(`
 	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
 	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
 ')
-
-ifdef(`TODO',`
-ifdef(`distro_debian', `
-	# cjp: there is no setfscreate or type_transition, and
-	# bootloader_t cannot rw a usr_t or lib_t directory, so
-	# how can this work?  This is probably rw_file_perms,
-	# possibly with unlink.  Files are probably "created"
-	# by the above relabeling permissions.
-	allow bootloader_t { usr_t lib_t }:file create_file_perms;
-
-	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
-	allow bootloader_t dpkg_var_lib_t:file { getattr read };
-')
-') dnl end TODO

refpolicy/policy/modules/admin/consoletype.te

@@ -107,21 +107,3 @@ optional_policy(`
 optional_policy(`
 	userdom_use_unpriv_users_fds(consoletype_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`
-allow consoletype_t xdm_tmp_t:file rw_file_perms;
-')
-
-# this goes to xdm module
-ifdef(`targeted_policy',`
-	optional_policy(`
-		consoletype_domtrans(xdm_t)
-	')
-')
-
-optional_policy(`
-allow consoletype_t printconf_t:file r_file_perms;
-')
-
-') dnl end TODO

refpolicy/policy/modules/admin/netutils.te

@@ -87,10 +87,6 @@ optional_policy(`
 	nis_use_ypbind(netutils_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
-') dnl end TODO
-
 ########################################
 #
 # Ping local policy
@@ -162,12 +158,6 @@ optional_policy(`
 	hotplug_use_fds(ping_t)
 ')
 
-ifdef(`TODO',`
-if(user_ping) {
-	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-}
-') dnl end TODO
-
 ########################################
 #
 # Traceroute local policy
@@ -235,9 +225,3 @@ optional_policy(`
 optional_policy(`
 	nscd_socket_use(traceroute_t)
 ')
-
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
-#rules needed for nmap
-dontaudit traceroute_t userdomain:dir search;
-') dnl end TODO

refpolicy/policy/modules/admin/su.if

@@ -284,20 +284,8 @@ template(`su_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	# Caused by su - init scripts
-	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-
-	# Inherit and use descriptors from gnome-pty-helper.
-	ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
-
 	allow $1_su_t $1_home_t:file create_file_perms;
 
-	ifdef(`user_canbe_sysadm', `
-	allow $1_su_t home_dir_type:dir { search write };
-	', `
-	dontaudit $1_su_t home_dir_type:dir { search write };
-	')
-
 	ifdef(`ssh.te', `
 	# Access sshd cookie files.
 	allow $1_su_t sshd_tmp_t:file rw_file_perms;

refpolicy/policy/modules/admin/sudo.if

@@ -138,14 +138,11 @@ template(`sudo_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	ifdef(`gnome-pty-helper.te', `allow $1_sudo_t gphdomain:fd use;')
-
 	# for when the network connection is killed
 	dontaudit unpriv_userdomain $1_sudo_t:process signal;
 
 	ifdef(`mta.te', `
 	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-	allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
 	')
 
 	ifdef(`pam.te', `

refpolicy/policy/modules/admin/tmpreaper.te

@@ -47,7 +47,3 @@ cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
 optional_policy(`
 	lpd_manage_spool(tmpreaper_t)
 ')
-
-ifdef(`TODO',`
-allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
-')

refpolicy/policy/modules/services/apm.te

@@ -1,5 +1,5 @@
 
-policy_module(apm,1.2.2)
+policy_module(apm,1.2.3)
 
 ########################################
 #
@@ -86,6 +86,7 @@ files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
 kernel_read_kernel_sysctls(apmd_t)
 kernel_rw_all_sysctls(apmd_t)
 kernel_read_system_state(apmd_t)
+kernel_write_proc_files(apmd_t)
 
 dev_read_realtime_clock(apmd_t)
 dev_read_urand(apmd_t)
@@ -238,11 +239,3 @@ optional_policy(`
 optional_policy(`
 	xserver_domtrans_xdm_xserver(apmd_t)
 ')
-
-ifdef(`TODO',`
-allow apmd_t proc_t:file write;
-allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
-optional_policy(`
-	allow apmd_t crond_t:fifo_file { getattr read write ioctl };
-')
-')

refpolicy/policy/modules/services/bind.te

@@ -206,12 +206,6 @@ optional_policy(`
 	udev_read_db(named_t)
 ')
 
-ifdef(`TODO',`
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-')
-
 ########################################
 #
 # NDC local policy

refpolicy/policy/modules/services/cron.if

@@ -256,9 +256,6 @@ template(`cron_per_userdomain_template',`
 
 	# Read user crontabs
 	dontaudit $1_crontab_t $1_home_dir_t:dir write;
-
-	# Inherit and use descriptors from gnome-pty-helper.
-	ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
 	') dnl endif TODO
 ')
 

refpolicy/policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.3.2)
+policy_module(cron,1.3.3)
 
 gen_require(`
 	class passwd rootok;
@@ -391,6 +391,10 @@ ifdef(`targeted_policy',`
 		mrtg_append_create_logs(system_crond_t)
 	')
 
+	optional_policy(`
+		mta_send_mail(system_crond_t)
+	')
+
 	optional_policy(`
 		mysql_read_config(system_crond_t)
 	')
@@ -436,13 +440,8 @@ ifdef(`targeted_policy',`
 	allow system_crond_t mail_spool_t:lnk_file read;
 
 	ifdef(`mta.te', `
-	mta_send_mail_transition(system_crond_t)
 	allow mta_user_agent system_crond_t:fd use;
 	r_dir_file(system_mail_t, crond_tmp_t)
 	')
-
-	# for daemon re-start
-	allow system_crond_t syslogd_t:lnk_file read;
-
 	') dnl end TODO
 ')

refpolicy/policy/modules/services/gpm.te

@@ -1,5 +1,5 @@
 
-policy_module(gpm,1.1.0)
+policy_module(gpm,1.1.1)
 
 ########################################
 #
@@ -54,7 +54,8 @@ kernel_read_proc_symlinks(gpm_t)
 
 dev_read_sysfs(gpm_t)
 # Access the mouse.
-dev_read_input(gpm_t)
+# cjp: why write?
+dev_rw_input_dev(event_device_t)
 dev_rw_mouse(gpm_t)
 
 fs_getattr_all_fs(gpm_t)
@@ -91,9 +92,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(gpm_t)
 ')
-
-ifdef(`TODO',`
-# Access the mouse.
-# cjp: why write?
-allow gpm_t event_device_t:chr_file rw_file_perms;
-')

refpolicy/policy/modules/services/mta.if

@@ -246,13 +246,6 @@ template(`mta_per_userdomain_template',`
 		postfix_read_config($1_mail_t)
 		postfix_list_spool($1_mail_t)
 	')
-
-
-	ifdef(`TODO',`
-	# if you do not want to allow dead.letter then use the following instead
-	#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
-	#allow $1_mail_t $1_home_t:file r_file_perms;
-	') dnl end TODO
 ')
 
 ########################################

refpolicy/policy/modules/services/ntp.te

@@ -158,11 +158,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ntpd_t)
 ')
-
-ifdef(`TODO',`
-allow ntpd_t sysadm_t:udp_socket sendto;
-allow sysadm_t ntpd_t:udp_socket recvfrom;
-
-allow sysadm_t ntpd_t:udp_socket sendto;
-allow ntpd_t sysadm_t:udp_socket recvfrom;
-') dnl end TODO

refpolicy/policy/modules/services/postfix.te

@@ -490,10 +490,6 @@ init_use_script_fds(postfix_postqueue_t)
 
 sysnet_dontaudit_read_config(postfix_postqueue_t)
 
-ifdef(`TODO',`
-optional_policy(`allow postfix_postqueue_t user_gph_t:fd use;')
-')
-
 ########################################
 #
 # Postfix qmgr local policy

refpolicy/policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.1)
+policy_module(samba,1.2.2)
 
 #################################
 #
@@ -166,10 +166,6 @@ optional_policy(`
 	nscd_socket_use(samba_net_t)
 ')
 
-ifdef(`TODO',`
-in_user_role(samba_net_t)
-')
-
 ########################################
 #
 # smbd Local policy
@@ -515,6 +511,10 @@ sysnet_read_config(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 userdom_use_sysadm_ttys(smbmount_t)
 
+optional_policy(`
+	cups_read_rw_config(smbd_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(smbmount_t)
 ')
@@ -523,12 +523,6 @@ optional_policy(`
 	nscd_socket_use(smbmount_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`cups.te', `
-	allow smbd_t cupsd_rw_etc_t:file { getattr read };
-')
-')
-
 ########################################
 #
 # SWAT Local policy

refpolicy/policy/modules/services/snmp.te

@@ -156,8 +156,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(snmpd_t)
 ')
-
-ifdef(`TODO',`
-can_udp_send(sysadm_t, snmpd_t)
-can_udp_send(snmpd_t, sysadm_t)
-') dnl end TODO

refpolicy/policy/modules/services/squid.te

@@ -181,11 +181,6 @@ ifdef(`TODO',`
 ifdef(`apache.te',`
 can_tcp_connect(squid_t, httpd_t)
 ')
-
-ifdef(`winbind.te', `
-domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
-allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
-')
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
 ') dnl end TODO

refpolicy/policy/modules/services/xserver.if

@@ -900,6 +900,25 @@ interface(`xserver_xsession_spec_domtrans',`
 	domain_trans($1,xsession_exec_t,$2)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of X server logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_getattr_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xserver_log_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write the X server

refpolicy/policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.2)
+policy_module(xserver,1.1.3)
 
 ########################################
 #
@@ -319,6 +319,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_exec_cifs_files(xdm_t)
 ')
 
+optional_policy(`
+	consoletype_domtrans(xdm_t)
+')
+
 optional_policy(`
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)

refpolicy/policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.1)
+policy_module(authlogin,1.3.2)
 
 ########################################
 #
@@ -247,11 +247,9 @@ optional_policy(`
 	udev_read_db(pam_console_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`xdm.te', `
-	allow pam_console_t xdm_var_run_t:file { getattr read };
+optional_policy(`
+	xserver_read_xdm_pid(pam_console_t)
 ')
-') dnl endif TODO
 
 ########################################
 #

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.4)
+policy_module(init,1.3.5)
 
 gen_require(`
 	class passwd rootok;
@@ -152,6 +152,9 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+# cjp: this may be related to /dev/log
+fs_write_ramfs_sockets(init_t)
+
 libs_use_ld_so(init_t)
 libs_use_shared_libs(init_t)
 libs_rw_ld_so_cache(init_t)
@@ -195,10 +198,6 @@ optional_policy(`
 	userdom_shell_domtrans_sysadm(init_t)
 ')
 
-ifdef(`TODO',`
-allow init_t ramfs_t:sock_file write;
-')
-
 ########################################
 #
 # Init script local policy

refpolicy/policy/modules/system/logging.if

@@ -65,6 +65,37 @@ interface(`logging_domtrans_auditctl',`
 	allow auditctl_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute auditctl in the auditctl domain, and
+##	allow the specified role the auditctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the auditctl domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the auditctl domain to use.
+##	</summary>
+## </param>
+#
+interface(`logging_run_auditctl',`
+	gen_require(`
+		type auditctl_t;
+	')
+
+	logging_domtrans_auditctl($1)
+	role $2 types auditctl_t;
+	allow auditctl_t $3:chr_file rw_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute syslogd in the syslog domain.

refpolicy/policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.1)
+policy_module(logging,1.3.2)
 
 ########################################
 #
@@ -94,21 +94,6 @@ ifdef(`targeted_policy',`
 	term_use_unallocated_ttys(auditctl_t)
 ')
 
-ifdef(`TODO',`
-role secadm_r types auditctl_t;
-role sysadm_r types auditctl_t;
-audit_manager_domain(secadm_t)
-
-ifdef(`targeted_policy', `', `
-ifdef(`enable_mls', `
-audit_manager_domain(secadm_t)
-', `
-audit_manager_domain(sysadm_t)
-') 
-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
-')
-') dnl end TODO
-
 ########################################
 #
 # Auditd local policy
@@ -385,14 +370,6 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
-allow syslogd_t tmpfs_t:dir search;
-dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-
 # log to the xconsole
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
-
-#
-# Special case to handle crashes
-#
-allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
 ') dnl end TODO

refpolicy/policy/modules/system/miscfiles.te

@@ -57,7 +57,3 @@ files_type(test_file_t)
 #
 type tetex_data_t;
 files_tmp_file(tetex_data_t)
-
-ifdef(`TODO',`
-allow customizable self:filesystem associate;
-') dnl end TODO

refpolicy/policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.1.0)
+policy_module(modutils,1.1.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -53,12 +53,9 @@ allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
 
 can_exec(insmod_t, insmod_exec_t)
 
-# make sediff happy (no effect)
-dontaudit insmod_t self:process { noatsecure rlimitinh siginh };
-type_transition insmod_t insmod_exec_t:process insmod_t;
-
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
+kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
 kernel_read_debugfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
@@ -157,12 +154,11 @@ optional_policy(`
 	rpm_rw_pipes(insmod_t)
 ')
 
-ifdef(`TODO',`
-allow insmod_t proc_t:file rw_file_perms;
 optional_policy(`
+	# cjp: why is this needed:
+	dev_rw_xserver_misc(insmod_t)
+
 	xserver_getattr_log(insmod_t)
-	allow insmod_t xserver_misc_device_t:chr_file { read write };
-')
 ')
 
 ########################################
@@ -218,12 +214,6 @@ optional_policy(`
 	rpm_rw_pipes(depmod_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
-') dnl end ifdef TODO
-
-allow depmod_t modules_object_t:file unlink;
-
 #################################
 #
 # update-modules local policy

refpolicy/policy/modules/system/mount.te

@@ -1,5 +1,5 @@
 
-policy_module(mount,1.3.2)
+policy_module(mount,1.3.3)
 
 ########################################
 #
@@ -149,14 +149,3 @@ optional_policy(`
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
 ')
-
-ifdef(`TODO',`
-# TODO: Need to examine this further. Not sure how to handle this
-#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
-#allow sysadm_t sysadm_mount_source_t:file create_file_perms;
-#allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
-#allow mount_t sysadm_mount_source_t:file rw_file_perms;
-
-# for when /etc/mtab loses its type
-allow mount_t file_t:file unlink;
-') dnl endif TODO

refpolicy/policy/modules/system/raid.te

@@ -86,6 +86,4 @@ optional_policy(`
 ifdef(`TODO',`
 # Ignore attempts to read every device file
 dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
-
-allow mdadm_t var_t:dir getattr;
 ') dnl TODO

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.3)
+policy_module(selinuxutil,1.2.4)
 
 gen_require(`
 	bool secure_mode;
@@ -346,6 +346,7 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
 kernel_use_fds(restorecon_t)
 kernel_rw_pipes(restorecon_t)
 kernel_read_system_state(restorecon_t)
+kernel_rw_unix_dgram_sockets(restorecon_t)
 kernel_relabelfrom_unlabeled_dirs(restorecon_t)
 kernel_relabelfrom_unlabeled_files(restorecon_t)
 kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
@@ -413,17 +414,6 @@ optional_policy(`
 	hotplug_use_fds(restorecon_t)
 ')
 
-ifdef(`TODO',`
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that restorecon can not be run!
-allow restorecon_t lib_t:file { read execute };
-ifdef(`dpkg.te', `
-domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
-')
-') dnl endif TODO
-
-allow restorecon_t kernel_t:unix_dgram_socket { read write };
-
 ########################################
 #
 # Restorecond local policy

refpolicy/policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.3.1)
+policy_module(udev,1.3.2)
 
 ########################################
 #
@@ -199,10 +199,6 @@ optional_policy(`
 	sysnet_domtrans_dhcpc(udev_t)
 ')
 
-#optional_policy(`
-#	xdm_read_pid(udev_t)
-#')
-
-ifdef(`TODO',`
-dontaudit udev_t ttyfile:chr_file unlink;
-') dnl endif TODO
+optional_policy(`
+	xserver_read_xdm_pid(udev_t)
+')

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.7)
+policy_module(userdomain,1.3.8)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -179,11 +179,12 @@ ifdef(`targeted_policy',`
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_domtrans_auditctl(secadm_t)
+		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 	', `
 		logging_domtrans_auditctl(sysadm_t)
 		logging_read_audit_log(sysadm_t)
+		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
 	tunable_policy(`allow_ptrace',`