fill pam and utempter authlogin policy and fix up interfaces

2005-05-03 20:23:33 +00:00 · 2005-05-03 20:23:33 +00:00 · 3ce6cb4a45
parent 4541a9d9a5
commit 3ce6cb4a45
13 changed files with 539 additions and 220 deletions
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@ -53,7 +53,7 @@ libraries_use_dynamic_loader(consoletype_t)
 libraries_read_shared_libraries(consoletype_t)

 optional_policy(`authlogin.te', `
-authlogin_read_pam_runtime_data(consoletype_t)
+authlogin_pam_read_runtime_data(consoletype_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -26,6 +26,7 @@ files_make_file(boot_runtime_t)

 type bootloader_t;
 domain_make_domain(bootloader_t)
+role system_r types bootloader_t;

 type bootloader_exec_t;
 domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
@ -79,7 +80,7 @@ storage_raw_write_removable_device(bootloader_t)
 devices_get_all_character_device_attributes(bootloader_t)
 devices_set_all_block_device_attributes(bootloader_t)
 devices_ignore_modify_generic_devices(bootloader_t)
-# for reading BIOS data (cjp: ?)
+# for reading BIOS data
 devices_raw_read_memory(bootloader_t)

 init_get_control_channel_attributes(bootloader_t)
@ -104,11 +105,11 @@ logging_send_system_log_message(bootloader_t)
 filesystem_get_persistent_filesystem_attributes(bootloader_t)

 terminal_use_controlling_terminal(bootloader_t)
-terminal_get_user_terminal_attributes(bootloader_t)
+terminal_get_all_users_physical_terminal_attributes(bootloader_t)

 allow bootloader_t bootloader_etc_t:file { getattr read };

-optional_policy(modutils.te,`
+optional_policy(`modutils.te',`
 modutils_insmod_execute(insmod_t)
 ')

@ -122,7 +123,7 @@ miscfiles_read_localization(bootloader_t)
 allow bootloader_t modules_object_t:dir { getattr search read };
 allow bootloader_t modules_object_t:file { getattr read };

-files_read_general_system_resources(bootloader_t)
+files_read_general_application_resources(bootloader_t)
 bootloader_install_initrd(bootloader_t)

 devices_get_random_data(bootloader_t)
@ -160,7 +161,7 @@ tunable_policy(`distro_debian', `
 allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
 allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
 allow bootloader_t boot_t:file relabelfrom;
-')
+') dnl end distro_debian

 tunable_policy(`distro_redhat', `
 files_make_mountpoint(bootloader_tmp_t)
@ -176,7 +177,7 @@ allow bootloader_t boot_runtime_t:file { read getattr unlink };
 # for memlock
 devices_get_zeros(bootloader_t)
 allow bootloader_t self:capability ipc_lock;
-')
+') dnl end distro_redhat

 ifdef(`TODO',`

@ -184,7 +185,6 @@ ifdef(`TODO',`
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
 allow bootloader_t admin_tty_type:chr_file rw_file_perms;

-role system_r types bootloader_t;
 allow bootloader_t initrc_t:fifo_file { read write };

 allow bootloader_t lib_t:file { getattr read };
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -160,7 +160,7 @@ allow kernel_t sysctl_kernel_t:file { getattr read };

 # old base_file_read_access():
 files_list_home_directories(kernel_t)
-files_read_general_shared_resources(kernel_t)
+files_read_general_application_resources(kernel_t)
 selinux_read_config(kernel_t)

 selinux_read_binary_policy(kernel_t)
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -27,20 +27,112 @@ devices_list_device_nodes_depend

 ########################################
 #
-# terminal_use_all_terminals(domain,[`optional'])
+# terminal_use_all_terminals(domain)
 #
 define(`terminal_use_all_terminals',`
-requires_block_template(terminal_use_all_terminals_depend,$2)
-devices_list_device_nodes($1,optional)
-allow $1 devpts_t:dir { getattr read search };
+requires_block_template(terminal_use_all_terminals_depend)
+devices_list_device_nodes($1)
+allow $1 devpts_t:dir { getattr search read };
 allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write };
 ')

 define(`terminal_use_all_terminals_depend',`
 attribute ttynode, ptynode;
 type console_device_t, devtty_t, devpts_t;
+class dir { getattr search read };
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_get_all_users_physical_terminal_attributes(domain)
+#
+define(`terminal_get_all_users_physical_terminal_attributes',`
+requires_block_template(terminal_get_all_users_physical_terminal_attributes_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file getattr;
+')
+
+define(`terminal_get_all_users_physical_terminal_attributes_depend',`
+attribute ttynode;
+class chr_file getattr;
+')
+
+########################################
+#
+# terminal_use_all_users_physical_terminals(domain)
+#
+define(`terminal_use_all_users_physical_terminals',`
+requires_block_template(terminal_use_all_users_physical_terminals_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file { read write };
+')
+
+define(`terminal_use_all_users_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_ignore_use_all_users_physical_terminals(domain)
+#
+define(`terminal_ignore_use_all_users_physical_terminals',`
+requires_block_template(terminal_ignore_use_all_users_physical_terminals_depend)
+dontaudit $1 ttynode:chr_file { read write };
+')
+
+define(`terminal_ignore_use_all_users_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_get_all_users_pseudoterminal_attributes(domain)
+#
+define(`terminal_get_all_users_pseudoterminal_attributes',`
+requires_block_template(terminal_get_all_users_pseudoterminal_attributes_depend,$2)
+devices_list_device_nodes($1)
+allow $1 devpts_t:dir { getattr search read };
+allow $1 ptynode:chr_file getattr;
+')
+
+define(`terminal_get_all_users_pseudoterminal_attributes_depend',`
+attribute ptynode;
+class dir { getattr search read };
+class chr_file getattr;
+')
+
+########################################
+#
+# terminal_use_all_users_pseudoterminals(domain)
+#
+define(`terminal_use_all_users_pseudoterminals',`
+requires_block_template(terminal_use_all_users_pseudoterminals_depend)
+devices_list_device_nodes($1)
+allow $1 devpts_t:dir { getattr read search };
+allow $1 ptynode:chr_file { read write };
+')
+
+define(`terminal_use_all_users_pseudoterminals_depend',`
+attribute ptynode;
+class dir { getattr search read };
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_ignore_use_all_users_pseudoterminals(domain)
+#
+define(`terminal_ignore_use_all_users_pseudoterminals',`
+requires_block_template(terminal_ignore_use_all_users_pseudoterminals_depend)
+dontaudit $1 ptynode:chr_file { read write };
+')
+
+define(`terminal_ignore_use_all_users_pseudoterminals_depend',`
+attribute ptynode;
 class chr_file { read write };
-devices_list_device_nodes_depend
 ')

 ########################################
@ -152,22 +244,6 @@ type tty_device_t;
 class chr_file { read write };
 ')

-########################################
-#
-# terminal_get_user_terminal_attributes(domain,[`optional'])
-#
-define(`terminal_get_user_terminal_attributes',`
-requires_block_template(terminal_get_user_terminal_attributes_depend,$2)
-devices_list_device_nodes($1,optional)
-allow $1 ttynode:chr_file getattr;
-')
-
-define(`terminal_get_user_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file getattr;
-devices_list_device_nodes_depend
-')
-
 ########################################
 #
 # terminal_list_pseudoterminals(domain,[`optional'])
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -37,7 +37,10 @@ kernel_read_system_state($1_chkpwd_t)
 #can_resolve($1_chkpwd_t)

 # Transition from the user domain to this domain.
-ifelse($1, system, `', `
+ifelse($1, system, `
+#dontaudit $1_chkpwd_t user_tty_type:chr_file rw_file_perms;
+terminal_use_general_physical_terminal($1_chkpwd_t)
+', `
 # Transition from the user domain to this domain.
 allow $1_t chkpwd_exec_t:file { getattr read execute };
 allow $1_t $1_chkpwd_t:process transition;
@ -113,6 +116,8 @@ class process transition;
 #
 define(`authlogin_modify_login_records',`
 requires_block_template(authlogin_modify_login_records_depend)
+files_search_system_state_data_directory($1)
+# FIXME: search var_log_t
 allow $1 wtmp_t:file { getattr read write setattr };
 ')

@ -127,6 +132,7 @@ class file { getattr read write setattr };
 #
 define(`authlogin_read_shadow_passwords',`
 requires_block_template(authlogin_read_shadow_passwords_depend)
+# FIXME: read etc_t dir
 allow $1 shadow_t:file { getattr read };
 typeattribute $1 can_read_shadow_passwords;
 ')
@ -157,6 +163,7 @@ class file { getattr read };
 #
 define(`authlogin_modify_shadow_passwords',`
 requires_block_template(authlogin_modify_shadow_passwords_depend)
+# FIXME: read etc_t dir
 allow $1 shadow_t:file { getattr read write };
 typeattribute $1 can_read_shadow_passwords;
 typeattribute $1 can_write_shadow_passwords;
@ -185,16 +192,36 @@ class file { getattr read write setattr };

 #######################################
 #
-# authlogin_read_pam_runtime_data(domain)
+# authlogin_pam_read_runtime_data(domain)
 #
-define(`authlogin_read_pam_runtime_data',`
-requires_block_template(authlogin_read_pam_runtime_data_depend)
-# FIXME: search var_t
-# FIXME: search var_run_t
+define(`authlogin_pam_read_runtime_data',`
+requires_block_template(authlogin_pam_read_runtime_data_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_run_t:dir { getattr search read };
 allow $1 pam_var_run_t:file { getattr read };
 ')

-define(`authlogin_read_pam_runtime_data_depend',`
-type lastlog_t;
+define(`authlogin_pam_read_runtime_data_depend',`
+type pam_var_run_t;
+class dir { getattr search read };
 class file { getattr read };
 ')
+
+#######################################
+#
+# authlogin_pam_remove_runtime_data(domain)
+#
+define(`authlogin_pam_remove_runtime_data',`
+requires_block_template(authlogin_pam_remove_runtime_data_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_run_t:dir { getattr search read write remove_name };
+allow $1 pam_var_run_t:file { getattr unlink };
+')
+
+define(`authlogin_pam_remove_runtime_data_depend',`
+type pam_var_run_t;
+class dir { getattr search read write remove_name };
+class file { getattr unlink };
+')
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -25,8 +25,9 @@ domain_make_domain(pam_console_t)
 type pam_console_exec_t;
 domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)

-type pam_t;
+type pam_t; #, nscd_client_domain;
 domain_make_domain(pam_t)
+role system_r types pam_t;

 type pam_exec_t;
 domain_make_entrypoint_file(pam_t,pam_exec_t)
@ -47,7 +48,7 @@ attribute can_write_shadow_passwords;
 neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file write;

-type utempter_t;
+type utempter_t; #, nscd_client_domain;
 domain_make_domain(utempter_t)

 type utempter_exec_t;
@ -58,7 +59,102 @@ logging_make_log_file(wtmp_t)

 ########################################
 #
-# Local policy
+# PAM local policy
 #
-#dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-#dontaudit system_chkpwd_t privfd:fd use;
+
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+dontaudit pam_t self:capability sys_tty_config;
+
+allow pam_t self:fd use;
+allow pam_t self:fifo_file { read getattr lock ioctl write append };
+allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow pam_t self:unix_dgram_socket sendto;
+allow pam_t self:unix_stream_socket connectto;
+allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow pam_t self:msg { send receive };
+
+allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
+allow pam_t pam_var_run_t:file { getattr read unlink };
+
+allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
+
+kernel_read_system_state(pam_t)
+
+terminal_use_controlling_terminal(pam_t)
+terminal_use_all_users_physical_terminals(pam_t)
+terminal_use_all_users_pseudoterminals(pam_t)
+
+init_script_ignore_modify_runtime_data(pam_t)
+
+files_read_general_system_config(pam_t)
+files_read_runtime_data_directory(pam_t)
+
+libraries_use_dynamic_loader(pam_t)
+libraries_read_shared_libraries(pam_t)
+
+logging_send_system_log_message(pam_t)
+
+optional_policy(`locallogin.te',`
+locallogin_use_file_descriptors(pam_t)
+')
+
+ifdef(`TODO',`
+allow pam_t unpriv_userdomain:fd use;
+can_ypbind(pam_t)
+ifdef(`automount.te', `
+allow pam_t autofs_t:dir { search getattr };
+')
+
+in_user_role(pam_t)
+domain_auto_trans(userdomain, pam_exec_t, pam_t)
+ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+') dnl endif TODO
+
+########################################
+#
+# Utempter local policy
+#
+
+allow utempter_t self:capability setgid;
+allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+
+allow utempter_t wtmp_t:file { ioctl read getattr lock write append };
+
+terminal_get_all_users_physical_terminal_attributes(utempter_t)
+terminal_get_all_users_pseudoterminal_attributes(utempter_t)
+terminal_ignore_use_all_users_physical_terminals(utempter_t)
+terminal_ignore_use_all_users_pseudoterminals(utempter_t)
+
+init_script_modify_runtime_data(utempter_t)
+
+files_read_general_system_config(utempter_t)
+
+domain_use_widely_inheritable_file_descriptors(utempter_t)
+
+libraries_use_dynamic_loader(utempter_t)
+libraries_read_shared_libraries(utempter_t)
+
+logging_search_system_log_directory(utempter_t)
+
+ifdef(`TODO',`
+in_user_role(utempter_t)
+role sysadm_r types utempter_t;
+domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
+
+# dontaudit access to /dev/ptmx.
+dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
+
+# Allow utemper to write to /tmp/.xses-*
+allow utempter_t user_tmpfile:file { getattr write append };
+
+ifdef(`xdm.te', `
+allow utempter_t xdm_t:fd use;
+allow utempter_t xdm_t:fifo_file { write getattr };
+')
+
+') dnl endif TODO
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -127,6 +127,20 @@ attribute privfd;
 class fd use;
 ')

+########################################
+#
+# domain_ignore_use_widely_inheritable_file_descriptors(domain,[`optional'])
+#
+define(`domain_ignore_use_widely_inheritable_file_descriptors',`
+requires_block_template(domain_ignore_use_widely_inheritable_file_descriptors_depend,$2)
+dontaudit $1 privfd:fd use;
+')
+
+define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
+attribute privfd;
+class fd use;
+')
+
 ########################################
 #
 # domain_all_init_domains_transition(domain,[`optional'])
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -362,15 +362,72 @@ class dir { getattr search read write add_name remove_name };

 ########################################
 #
-# files_read_general_shared_resources(domain,[`optional'])
+# files_list_home_directories(type,[`optional'])
 #
-define(`files_read_general_shared_resources',`
-requires_block_template(files_read_general_shared_resources_depend,$2)
+define(`files_list_home_directories',`
+requires_block_template(files_list_home_directories_depend,$2)
+allow $1 home_root_t:dir { getattr search read };
+')
+
+define(`files_list_home_directories_depend',`
+type home_root_t;
+class dir { getattr search read };
+')
+
+########################################
+#
+# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
+#
+define(`files_create_private_tmp_data',`
+requires_block_template(files_create_private_tmp_data_depend,$2)
+allow $1 tmp_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 tmp_t:file $2;
+',`
+type_transition $1 tmp_t:$3 $2;
+')
+typeattribute $1 tmpfile;
+')
+
+define(`files_create_private_tmp_data_depend',`
+attribute tmpfile;
+type tmp_t;
+class dir { getattr search read write add_name };
+')
+
+########################################
+#
+# files_remove_all_tmp_data(domain,[`optional'])
+#
+define(`files_remove_all_tmp_data',`
+requires_block_template(files_remove_all_tmp_data_depend,$2)
+allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
+allow $1 tmpfile:file { getattr unlink };
+allow $1 tmpfile:lnk_file { getattr unlink };
+allow $1 tmpfile:fifo_file { getattr unlink };
+allow $1 tmpfile:sock_file { getattr unlink };
+')
+
+define(`files_remove_all_tmp_data_depend',`
+attribute tmpfile;
+class dir { getattr search read write add_name remove_name rmdir };
+class file { getattr unlink };
+class lnk_file { getattr unlink };
+class fifo_file { getattr unlink };
+class sock_file { getattr unlink };
+')
+
+########################################
+#
+# files_read_general_application_resources(domain,[`optional'])
+#
+define(`files_read_general_application_resources',`
+requires_block_template(files_read_general_application_resources_depend,$2)
 allow $1 usr_t:dir { getattr search read };
 allow $1 usr_t:{ file lnk_file } { getattr read };
 ')

-define(`files_read_general_shared_resources_depend',`
+define(`files_read_general_application_resources_depend',`
 type usr_t;
 class dir { getattr search read };
 class file { getattr read };
@ -379,27 +436,121 @@ class lnk_file { getattr read };

 ########################################
 #
-# files_manage_pseudorandom_saved_seed(domain,[`optional'])
+# files_read_system_source_code(domain)
+#
+define(`files_read_system_source_code',`
+requires_block_template(files_read_system_source_code_depend)
+allow $1 usr_t:dir search;
+allow $1 src_t:dir { getattr search read };
+allow $1 src_t:{ file lnk_file } { getattr read };
+')
+
+define(`files_read_system_source_code_depend',`
+type usr_t, src_t;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# files_search_system_state_data_directory(domain)
+#
+define(`files_search_system_state_data_directory',`
+requires_block_template(files_search_system_state_data_directory_depend)
+allow $1 var_t:dir search;
+')
+
+define(`files_search_system_state_data_directory_depend',`
+type var_t;
+class dir search;
+')
+
+########################################
+#
+# files_manage_pseudorandom_saved_seed(domain)
 #
 define(`files_manage_pseudorandom_saved_seed',`
-requires_block_template(files_manage_pseudorandom_saved_seed_depend,$2)
+requires_block_template(files_manage_pseudorandom_saved_seed_depend)
 allow $1 var_t:dir search;
 allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
 allow $1 var_lib_t:file { getattr create read write setattr unlink };
 ')

 define(`files_manage_pseudorandom_saved_seed_depend',`
-type usr_t;
+type var_t, var_lib_t;
 class dir { getattr search read write add_name remove_name };
 class file { getattr create read write setattr unlink };
 ')

 ########################################
 #
-# files_create_daemon_runtime_data(domain,pidfile,[object class(es)],[`optional'])
+# files_manage_system_lock_files(domain,[`optional'])
+#
+define(`files_manage_system_lock_files',`
+requires_block_template(files_manage_system_lock_files_depend,$2)
+allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
+allow $1 var_lock_t:file { getattr create read write setattr unlink };
+')
+
+define(`files_manage_system_lock_files_depend',`
+type var_lock_t;
+class dir { getattr search create read write setattr add_name remove_name rmdir };
+class file { getattr create read write setattr unlink };
+')
+
+########################################
+#
+# files_remove_all_lock_files(domain,[`optional'])
+#
+define(`files_remove_all_lock_files',`
+requires_block_template(files_remove_all_lock_files_depend,$2)
+allow $1 lockfile:dir { getattr search read write add_name remove_name };
+allow $1 lockfile:file { getattr unlink };
+')
+
+define(`files_remove_all_lock_files_depend',`
+attribute lockfile;
+class dir { getattr search read write add_name remove_name };
+class file { getattr unlink };
+')
+
+########################################
+#
+# files_search_runtime_data_directory(domain)
+#
+define(`files_search_runtime_data_directory',`
+requires_block_template(files_search_runtime_data_directory_depend)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir search;
+')
+
+define(`files_search_runtime_data_directory_depend',`
+type var_t, var_run_t;
+class dir search;
+')
+
+########################################
+#
+# files_read_runtime_data_directory(domain)
+#
+define(`files_read_runtime_data_directory',`
+requires_block_template(files_read_runtime_data_directory_depend)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir { getattr search read };
+')
+
+define(`files_read_runtime_data_directory_depend',`
+type var_t, var_run_t;
+class dir { getattr search read };
+')
+
+########################################
+#
+# files_create_daemon_runtime_data(domain,pidfile,[object class(es)])
 #
 define(`files_create_daemon_runtime_data',`
-requires_block_template(files_create_daemon_runtime_data_depend,$4)
+requires_block_template(files_create_daemon_runtime_data_depend)
 allow $1 var_t:dir search;
 allow $1 var_run_t:dir { getattr search read write add_name remove_name };
 ifelse(`$3',`',`
@ -455,128 +606,3 @@ class file { getattr unlink };
 class lnk_file { getattr unlink };
 class sock_file { getattr unlink };
 ')
-
-########################################
-#
-# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
-#
-define(`files_create_private_tmp_data',`
-requires_block_template(files_create_private_tmp_data_depend,$2)
-allow $1 tmp_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 tmp_t:file $2;
-',`
-type_transition $1 tmp_t:$3 $2;
-')
-typeattribute $1 tmpfile;
-')
-
-define(`files_create_private_tmp_data_depend',`
-attribute tmpfile;
-type etc_t;
-class dir { getattr search read write add_name };
-')
-
-########################################
-#
-# files_remove_all_tmp_data(domain,[`optional'])
-#
-define(`files_remove_all_tmp_data',`
-requires_block_template(files_remove_all_tmp_data_depend,$2)
-allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
-allow $1 tmpfile:file { getattr unlink };
-allow $1 tmpfile:lnk_file { getattr unlink };
-allow $1 tmpfile:fifo_file { getattr unlink };
-allow $1 tmpfile:sock_file { getattr unlink };
-')
-
-define(`files_remove_all_tmp_data_depend',`
-attribute tmpfile;
-class dir { getattr search read write add_name remove_name rmdir };
-class file { getattr unlink };
-class lnk_file { getattr unlink };
-class fifo_file { getattr unlink };
-class sock_file { getattr unlink };
-')
-
-########################################
-#
-# files_manage_system_lock_files(domain,[`optional'])
-#
-define(`files_manage_system_lock_files',`
-requires_block_template(files_manage_system_lock_files_depend,$2)
-allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
-allow $1 var_lock_t:file { getattr create read write setattr unlink };
-')
-
-define(`files_manage_system_lock_files_depend',`
-type var_lock_t;
-class dir { getattr search create read write setattr add_name remove_name rmdir };
-class file { getattr create read write setattr unlink };
-')
-
-########################################
-#
-# files_remove_all_lock_files(domain,[`optional'])
-#
-define(`files_remove_all_lock_files',`
-requires_block_template(files_remove_all_lock_files_depend,$2)
-allow $1 lockfile:dir { getattr search read write add_name remove_name };
-allow $1 lockfile:file { getattr unlink };
-')
-
-define(`files_remove_all_lock_files_depend',`
-attribute lockfile;
-class dir { getattr search read write add_name remove_name };
-class file { getattr unlink };
-')
-
-########################################
-#
-# files_read_general_system_resources(domain,[`optional'])
-#
-define(`files_read_general_system_resources',`
-requires_block_template(files_read_general_system_resources_depend,$2)
-allow $1 usr_t:dir { getattr search read };
-allow $1 usr_t:{ file lnk_file } { getattr read };
-')
-
-define(`files_read_general_system_resources_depend',`
-type usr_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
-')
-
-########################################
-#
-# files_read_system_source_code(type,[`optional'])
-#
-define(`files_read_system_source_code',`
-requires_block_template(files_read_system_source_code_depend,$2)
-allow $1 usr_t:dir search;
-allow $1 src_t:dir { getattr search read };
-allow $1 src_t:{ file lnk_file } { getattr read };
-')
-
-define(`files_read_system_source_code_depend',`
-type usr_t, src_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
-')
-
-########################################
-#
-# files_list_home_directories(type,[`optional'])
-#
-define(`files_list_home_directories',`
-requires_block_template(files_list_home_directories_depend,$2)
-allow $1 home_root_t:dir { getattr search read };
-')
-
-define(`files_list_home_directories_depend',`
-type home_root_t;
-class dir { getattr search read };
-
-')
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -2,10 +2,10 @@

 ########################################
 #
-# init_transition(domain,[`optional'])
+# init_transition(domain)
 #
 define(`init_transition',`
-requires_block_template(init_transition_depend,$2)
+requires_block_template(init_transition_depend)
 allow $1 init_exec_t:file { getattr read execute };
 allow $1 init_t:process transition;
 type_transition $1 init_exec_t:file init_t;
@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };

 ########################################
 #
-# init_get_control_channel_attributes(domain,[`optional'])
+# init_get_control_channel_attributes(domain)
 #
 define(`init_get_control_channel_attributes',`
-requires_block_template(init_get_control_channel_attributes_depend,$2)
+requires_block_template(init_get_control_channel_attributes_depend)
 allow $1 initctl_t:fifo_file getattr;
 ')

@ -63,10 +63,10 @@ class fifo_file { read write };

 ########################################
 #
-# init_sigchld(domain,[`optional'])
+# init_sigchld(domain)
 #
 define(`init_sigchld',`
-requires_block_template(init_sigchld_depend,$2)
+requires_block_template(init_sigchld_depend)
 allow $1 init_t:process sigchld;
 ')

@ -77,10 +77,10 @@ class process sigchld;

 ########################################
 #
-# init_use_file_descriptors(domain,[`optional'])
+# init_use_file_descriptors(domain)
 #
 define(`init_use_file_descriptors',`
-requires_block_template(init_use_file_descriptors_depend,$2)
+requires_block_template(init_use_file_descriptors_depend)
 allow $1 init_t:fd use;
 ')

@ -91,10 +91,10 @@ class fd use;

 ########################################
 #
-# init_ignore_use_file_descriptors(domain,[`optional'])
+# init_ignore_use_file_descriptors(domain)
 #
 define(`init_ignore_use_file_descriptors',`
-requires_block_template(init_ignore_use_file_descriptors_depend,$2)
+requires_block_template(init_ignore_use_file_descriptors_depend)
 dontaudit $1 init_t:fd use;
 ')

@ -105,10 +105,10 @@ class fd use;

 ########################################
 #
-# init_script_transition(domain,[`optional'])
+# init_script_transition(domain)
 #
 define(`init_script_transition',`
-requires_block_template(init_script_transition_depend,$2)
+requires_block_template(init_script_transition_depend)
 allow $1 initrc_exec_t:file { getattr read execute };
 allow $1 initrc_t:process transition;
 type_transition $1 initrc_exec_t:process init_t;
@ -123,10 +123,30 @@ class process { transition noatsecure siginh rlimitinh };

 ########################################
 #
-# init_script_use_file_descriptors(domain,[`optional'])
+# init_script_direct_admin_transition(role,domain)
+#
+define(`init_script_direct_admin_transition',`
+requires_block_template(init_script_direct_admin_transition_depend)
+allow $2 initrc_exec_t:file { getattr read execute };
+allow $2 initrc_t:process transition;
+type_transition $2 initrc_exec_t:file init_t;
+role_transition $1 initrc_exec_t system_r;
+dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`init_script_direct_admin_transition_depend',`
+type initrc_t, initrc_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+kernel_system_role_transition_depend
+')
+
+########################################
+#
+# init_script_use_file_descriptors(domain)
 #
 define(`init_script_use_file_descriptors',`
-requires_block_template(init_script_use_file_descriptors_depend,$2)
+requires_block_template(init_script_use_file_descriptors_depend)
 allow $1 initrc_t:fd use;
 ')

@ -137,10 +157,10 @@ class fd use;

 ########################################
 #
-# init_script_use_pseudoterminal(domain,[`optional'])
+# init_script_use_pseudoterminal(domain)
 #
 define(`init_script_use_pseudoterminal',`
-requires_block_template(init_script_use_pseudoterminal_depend,$2)
+requires_block_template(init_script_use_pseudoterminal_depend)
 allow $1 initrc_devpts_t:chr_file { read write };
 ')

@ -151,20 +171,44 @@ class chr_file { read write };

 ########################################
 #
-# init_script_direct_admin_transition(role,domain,[`optional'])
+# init_script_read_runtime_data(domain)
 #
-define(`init_script_direct_admin_transition',`
-requires_block_template(init_script_direct_admin_transition_depend,$2)
-allow $2 initrc_exec_t:file { getattr read execute };
-allow $2 initrc_t:process transition;
-type_transition $2 initrc_exec_t:file init_t;
-kernel_system_role_transition($1,initrc_exec_t,optional)
-dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
+define(`init_script_read_runtime_data',`
+requires_block_template(init_script_read_runtime_data_depend)
+files_read_runtime_data_directory($1)
+allow $1 initrc_var_run_t:file { getattr read };
 ')

-define(`init_script_direct_admin_transition_depend',`
-type initrc_t, initrc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
-kernel_system_role_transition_depend
+define(`init_script_read_runtime_data_depend',`
+type initrc_var_run_t;
+class file { getattr read };
+')
+
+########################################
+#
+# init_script_modify_runtime_data(domain)
+#
+define(`init_script_modify_runtime_data',`
+requires_block_template(init_script_modify_runtime_data_depend)
+files_read_runtime_data_directory($1)
+allow $1 initrc_var_run_t:file { getattr read write append };
+')
+
+define(`init_script_modify_runtime_data_depend',`
+type initrc_var_run_t;
+class file { getattr read write append };
+')
+
+########################################
+#
+# init_script_ignore_modify_runtime_data(domain)
+#
+define(`init_script_ignore_modify_runtime_data',`
+requires_block_template(init_script_ignore_modify_runtime_data_depend)
+dontaudit $1 initrc_var_run_t:file { getattr read write append };
+')
+
+define(`init_script_ignore_modify_runtime_data_depend',`
+type initrc_var_run_t;
+class file { getattr read write append };
 ')
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -251,7 +251,7 @@ files_read_general_system_config(initrc_t)
 files_create_runtime_system_config(initrc_t)
 files_manage_system_lock_files(initrc_t)
 files_execute_system_config_script(initrc_t)
-files_read_general_shared_resources(initrc_t)
+files_read_general_application_resources(initrc_t)
 files_manage_pseudorandom_saved_seed(initrc_t)

 corecommands_execute_general_programs(initrc_t)
@ -289,6 +289,11 @@ files_create_boot_flag(initrc_t)
 bootloader_create_runtime_data(initrc_t)
 ')

+optional_policy(`authlogin.te',`
+authlogin_pam_read_runtime_data(initrc_t)
+authlogin_pam_remove_runtime_data(initrc_t)
+')
+
 ifdef(`TODO',`
 # Mount and unmount file systems.
 allow initrc_t { file_t default_t }:dir { read search getattr mounton };
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@ -17,3 +17,17 @@ type local_login_t, login_exec_t;
 class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
+
+########################################
+#
+# locallogin_use_file_descriptors(domain,[`optional'])
+#
+define(`locallogin_use_file_descriptors',`
+requires_block_template(locallogin_use_file_descriptors_depend,$2)
+allow $1 local_login_t:fd use;
+')
+
+define(`locallogin_use_file_descriptors_depend',`
+type local_login_t;
+class fd use;
+')
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -2,25 +2,24 @@

 #######################################
 #
-# logging_make_log_file(type,[`optional'])
+# logging_make_log_file(domain)
 #
 define(`logging_make_log_file',`
-requires_block_template(logging_make_log_file_depend,$2)
-files_make_file($1,optional)
+requires_block_template(logging_make_log_file_depend)
+files_make_file($1)
 typeattribute $1 logfile;
 ')

 define(`logging_make_log_file_depend',`
 attribute logfile;
-files_make_file_depend
 ')

 #######################################
 #
-# logging_send_system_log_message(type,[`optional'])
+# logging_send_system_log_message(domain)
 #
 define(`logging_send_system_log_message',`
-requires_block_template(logging_send_system_log_message_depend,$2)
+requires_block_template(logging_send_system_log_message_depend)
 allow $1 devlog_t:lnk_file read;
 allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
 # the type of socket depends on the syslog daemon
@ -39,10 +38,26 @@ class unix_stream_socket { create read getattr write setattr append bind connect

 #######################################
 #
-# logging_append_all_logs(type,[`optional'])
+# logging_search_system_log_directory(domain)
+#
+define(`logging_search_system_log_directory',`
+requires_block_template(logging_search_system_log_directory_depend)
+files_search_system_state_data_directory($1)
+allow $1 var_log_t:dir search;
+')
+
+define(`logging_search_system_log_directory_depend',`
+type var_log_t;
+class dir search;
+')
+
+#######################################
+#
+# logging_append_all_logs(domain)
 #
 define(`logging_append_all_logs',`
-requires_block_template(logging_append_all_logs_depend,$2)
+requires_block_template(logging_append_all_logs_depend)
+files_search_system_state_data_directory($1)
 allow $1 var_log_t:dir { getattr search read };
 allow $1 logfile:file { getattr append };
 ')
@ -56,10 +71,11 @@ class file { getattr append };

 #######################################
 #
-# logging_read_all_logs(type,[`optional'])
+# logging_read_all_logs(domain)
 #
 define(`logging_read_all_logs',`
-requires_block_template(logging_read_all_logs_depend,$2)
+requires_block_template(logging_read_all_logs_depend)
+files_search_system_state_data_directory($1)
 allow $1 var_log_t:dir { getattr search read };
 allow $1 logfile:file { getattr read };
 ')
@ -73,10 +89,11 @@ class file { getattr read };

 #######################################
 #
-# logging_modify_system_logs(type,[`optional'])
+# logging_modify_system_logs(domain)
 #
 define(`logging_modify_system_logs',`
-requires_block_template(logging_modify_system_logs_depend,$2)
+requires_block_template(logging_modify_system_logs_depend)
+files_search_system_state_data_directory($1)
 allow $1 var_log_t:dir { getattr search read };
 allow $1 var_log_t:file { getattr read write append };
 ')
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -72,7 +72,7 @@ filesystem_get_persistent_filesystem_attributes(insmod_t)

 files_read_runtime_system_config(insmod_t)
 files_read_general_system_config(insmod_t)
-files_read_general_shared_resources(insmod_t)
+files_read_general_application_resources(insmod_t)
 files_execute_system_config_script(insmod_t)

 domain_signal_all_domains(insmod_t)