convert relevant conditionals into tunable_policy

refpolicy/policy/global_tunables

@@ -30,6 +30,11 @@ gen_tunable(cron_can_relabel,false)
 ## </tunable>
 gen_tunable(fcron_crond,false)
 
+## <tunable name="allow_gpg_execstack" dftval="false">
+##	Allow gpg executable stack
+## </tunable>
+gen_tunable(allow_gpg_execstack,false)
+
 ## <tunable name="read_default_t" dftval="false">
 ##	Allow reading of default_t files.
 ## </tunable>
@@ -72,6 +77,11 @@ gen_tunable(user_dmesg,false)
 ## </tunable>
 gen_tunable(user_net_control,false)
 
+## <tunable name="user_ping" dftval="false">
+##	Control users use of ping and traceroute
+## </tunable>
+gen_tunable(user_ping,false)
+
 ## <tunable name="user_rw_noexattrfile" dftval="false">
 ##	Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
 ## </tunable>

refpolicy/policy/modules/admin/consoletype.te

@@ -73,21 +73,7 @@ allow consoletype_t nfs_t:file write;
 allow consoletype_t crond_t:fifo_file r_file_perms;
 allow consoletype_t system_crond_t:fd use;
 
-optional_policy(`ypbind.te', `
+can_ypbind(consoletype_t)
-if (allow_ypbind) {
-can_network(consoletype_t)
-r_dir_file(consoletype_t,var_yp_t)
-corenet_tcp_bind_generic_port(consoletype_t)
-corenet_udp_bind_generic_port(consoletype_t)
-corenet_tcp_bind_reserved_port(consoletype_t)
-corenet_udp_bind_reserved_port(consoletype_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t)
-dontaudit consoletype_t self:capability net_bind_service;
-} else {
-dontaudit consoletype_t var_yp_t:dir search;
-}
-') dnl end ypbind optional_policy
 
 optional_policy(`automount.te', `
 allow consoletype_t autofs_t:dir { search getattr };

refpolicy/policy/modules/admin/netutils.te

@@ -24,11 +24,6 @@ type traceroute_exec_t;
 init_system_domain(traceroute_t,traceroute_exec_t)
 role system_r types traceroute_t;
 
-#
-# Control users use of ping and traceroute
-#
-bool user_ping false;
-
 ########################################
 #
 # Netutils local policy
@@ -129,10 +124,10 @@ sysnet_read_config(ping_t)
 
 logging_send_syslog_msg(ping_t)
 
-if (user_ping) {
+tunable_policy(`user_ping',`
 	term_use_all_user_ttys(ping_t)
 	term_use_all_user_ptys(ping_t)
-}
+')
 
 ifdef(`TODO',`
 can_ypbind(ping_t)
@@ -143,10 +138,11 @@ allow ping_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
 
 in_user_role(ping_t)
-if (user_ping) {
+tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-}
+')
+
 ') dnl end TODO
 
 ########################################
@@ -192,10 +188,10 @@ dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
 
-if (user_ping) {
+tunable_policy(`user_ping',`
 	term_use_all_user_ttys(traceroute_t)
 	term_use_all_user_ptys(traceroute_t)
-}
+')
 
 ifdef(`TODO',`
 role sysadm_r types traceroute_t;
@@ -210,9 +206,9 @@ allow traceroute_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
 
 in_user_role(traceroute_t)
-if (user_ping) {
+tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
-}
+')
 
 #rules needed for nmap
 dontaudit traceroute_t userdomain:dir search;

refpolicy/policy/modules/apps/gpg.if

@@ -94,14 +94,14 @@ define(`gpg_per_userdomain_template',`
 	sysnet_read_config($1_gpg_t)
 
 	# Legacy
-	if (allow_gpg_execstack) {
+	tunable_policy(`allow_gpg_execstack',`
 		allow $1_gpg_t self:process execmem;
 		libs_legacy_use_shared_libs($1_gpg_t)
 		libs_legacy_use_ld_so($1_gpg_t)
 		miscfiles_legacy_read_localization($1_gpg_t)
 		# Not quite sure why this is needed... 
 		allow $1_gpg_t gpg_exec_t:file execmod;
-	}
+	')
 
 	ifdef(`TODO',`
 
@@ -134,12 +134,12 @@ define(`gpg_per_userdomain_template',`
 	# allow the usual access to /tmp
 	file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
 
-	if (use_nfs_home_dirs) {
+	tunable_policy(`use_nfs_home_dirs',`
 		create_dir_file($1_gpg_t, nfs_t)
-	}
+	')
-	if (use_samba_home_dirs) {
+	tunable_policy(`use_samba_home_dirs',`
 		create_dir_file($1_gpg_t, cifs_t)
-	}
+	')
 
 	rw_dir_create_file($1_gpg_t, $1_file_type)
 
@@ -199,12 +199,12 @@ define(`gpg_per_userdomain_template',`
 
 	ifdef(`TODO',`
 
-	if (use_nfs_home_dirs) {
+	tunable_policy(`use_nfs_home_dirs',`
 		dontaudit $1_gpg_helper_t nfs_t:file { read write };
-	}
+	')
-	if (use_samba_home_dirs) {
+	tunable_policy(`use_samba_home_dirs',`
 		dontaudit $1_gpg_helper_t cifs_t:file { read write };
-	}
+	')
 
 	# communicate with the user 
 	allow $1_gpg_helper_t $1_t:fd use;
@@ -261,12 +261,12 @@ define(`gpg_per_userdomain_template',`
 	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 	allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
 	create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-	if (use_nfs_home_dirs) {
+	tunable_policy(`use_nfs_home_dirs',`
 		create_dir_file($1_gpg_agent_t, nfs_t)
-	}
+	')
-	if (use_samba_home_dirs) {
+	tunable_policy(`use_samba_home_dirs',`
 		create_dir_file($1_gpg_agent_t, cifs_t)
-	}
+	')
 
 	# gpg connect
 	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
@@ -327,19 +327,19 @@ define(`gpg_per_userdomain_template',`
 	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
 	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
 
-	if (use_nfs_home_dirs) {
+	tunable_policy(`use_nfs_home_dirs',`
 		allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
 		allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
 		dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 		dontaudit $1_gpg_pinentry_t nfs_t:file write;
-	}
+	')
 
-	if (use_samba_home_dirs) {
+	tunable_policy(`use_samba_home_dirs',`
 		allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
 		allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
 		dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
 		dontaudit $1_gpg_pinentry_t cifs_t:file write;
-	}
+	')
 
 	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
 	') dnl end TODO

refpolicy/policy/modules/apps/gpg.te

@@ -6,9 +6,6 @@ policy_module(gpg, 1.0)
 # Declarations
 #
 
-# Allow gpg exec stack
-bool allow_gpg_execstack false;
-
 # Type for gpg or pgp executables.
 type gpg_exec_t;
 type gpg_helper_exec_t;

refpolicy/policy/modules/services/mta.if

@@ -116,9 +116,9 @@ define(`mta_per_userdomain_template',`
 	# Create dead.letter in user home directories.
 	file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
 
-	if (use_samba_home_dirs) {
+	tunable_policy(`use_samba_home_dirs',`
 		rw_dir_create_file($1_mail_t, cifs_t)
-	}
+	')
 
 	# if you do not want to allow dead.letter then use the following instead
 	#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;

refpolicy/policy/modules/services/remotelogin.te

@@ -92,10 +92,10 @@ allow remote_login_t bin_t:dir r_dir_perms;
 allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
 allow remote_login_t sbin_t:dir r_dir_perms;
 allow remote_login_t sbin_t:notdevfile_class_set r_file_perms;
-if (read_default_t) {
+tunable_policy(`read_default_t',`
 allow remote_login_t default_t:dir r_dir_perms;
 allow remote_login_t default_t:notdevfile_class_set r_file_perms;
-}
+')
 
 # Read directories and files with the readable_t type.
 # This type is a general type for "world"-readable files.
@@ -116,13 +116,13 @@ dontaudit remote_login_t sysfs_t:dir search;
 allow remote_login_t autofs_t:dir r_dir_perms;
 allow remote_login_t mnt_t:dir r_dir_perms;
 
-if (use_nfs_home_dirs) {
+tunable_policy(`use_nfs_home_dirs',`
-r_dir_file(remote_login_t, nfs_t)
+	r_dir_file(remote_login_t, nfs_t)
-}
+')
 
-if (use_samba_home_dirs) {
+tunable_policy(`use_samba_home_dirs',`
-r_dir_file(remote_login_t, cifs_t)
+	r_dir_file(remote_login_t, cifs_t)
-}
+')
 
 # FIXME: what is this for?
 ifdef(`xdm.te', `

refpolicy/policy/modules/system/locallogin.te

@@ -124,10 +124,11 @@ allow local_login_t bin_t:dir r_dir_perms;
 allow local_login_t bin_t:notdevfile_class_set r_file_perms;
 allow local_login_t sbin_t:dir r_dir_perms;
 allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
-if (read_default_t) {
+
+tunable_policy(`read_default_t',`
 	allow local_login_t default_t:dir r_dir_perms;
 	allow local_login_t default_t:notdevfile_class_set r_file_perms;
-}
+')
 
 # Read directories and files with the readable_t type.
 # This type is a general type for "world"-readable files.
@@ -182,13 +183,14 @@ allow local_login_t sound_device_t:chr_file { getattr setattr };
 # Allow setting of attributes on power management devices.
 allow local_login_t power_device_t:chr_file { getattr setattr };
 
-#if (use_nfs_home_dirs) {
+tunable_policy(`use_nfs_home_dirs',`
-#r_dir_file(local_login_t, nfs_t)
+	r_dir_file(local_login_t, nfs_t)
-#}
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	r_dir_file(local_login_t, cifs_t)
+')
 
-#if (use_samba_home_dirs) {
-#r_dir_file(local_login_t, cifs_t)
-#}
 ') dnl endif TODO
 
 #################################

refpolicy/policy/modules/system/userdomain.if

@@ -238,10 +238,10 @@ define(`base_user_domain',`
 	# /initrd is left mounted, various programs try to look at it
 	dontaudit $1_t ramfs_t:dir getattr;
 
-	if (read_default_t) {
+	tunable_policy(`read_default_t',`
 		allow $1_t default_t:dir r_dir_perms;
 		allow $1_t default_t:notdevfile_class_set r_file_perms;
-	}
+	')
 
 	#
 	# Running ifconfig as a user generates the following
@@ -254,10 +254,10 @@ define(`base_user_domain',`
 
 	can_ypbind($1_t)
 
-	if (allow_execmod) {
+	tunable_policy(`allow_execmod',`
 		# Allow text relocations on system shared libraries, e.g. libGL.
 		allow $1_t texrel_shlib_t:file execmod;
-	}
+	')
 
 	allow $1_t fs_type:dir getattr;
 
@@ -275,17 +275,19 @@ define(`base_user_domain',`
 	allow $1_t autofs_t:dir { getattr search };
 
 	can_exec($1_t, { removable_t noexattrfile } )
-	if (user_rw_noexattrfile) {
+
+	tunable_policy(`user_rw_noexattrfile',`
 		create_dir_file($1_t, noexattrfile)
 		create_dir_file($1_t, removable_t)
 		# Write floppies 
 		allow $1_t removable_device_t:blk_file rw_file_perms;
 		allow $1_t usbtty_device_t:chr_file write;
-	} else {
+	',`
 		r_dir_file($1_t, noexattrfile)
 		r_dir_file($1_t, removable_t)
 		allow $1_t removable_device_t:blk_file r_file_perms;
-	}
+	')
+
 	allow $1_t usbtty_device_t:chr_file read;
 
 	can_exec($1_t, noexattrfile)
@@ -526,15 +528,15 @@ define(`user_domain_template', `
 	')
 
 	ifdef(`ftpd.te', `
-		if (ftp_home_dir) {
+		tunable_policy(`ftp_home_dir',`
 			file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-		}
+		')
 	')
 
-	if (read_default_t) {
+	tunable_policy(`read_default_t',`
 		allow $1 default_t:dir r_dir_perms;
 		allow $1 default_t:notdevfile_class_set r_file_perms;
-	}
+	')
 
 	can_exec($1_t, usr_t)
 
@@ -557,11 +559,11 @@ define(`user_domain_template', `
 	allow $1_t var_lib_t:file { getattr read };
 
 	# Allow users to rw usb devices
-	if (user_rw_usb) {
+	tunable_policy(`user_rw_usb',`
 		rw_dir_create_file($1_t,usbdevfs_t)
-	} else {
+	',`
 		r_dir_file($1_t,usbdevfs_t)
-	}
+	')
 
 	# Do not audit write denials to /etc/ld.so.cache.
 	dontaudit $1_t ld_so_cache_t:file write;
@@ -765,10 +767,10 @@ define(`admin_domain_template',`
 
 	ifdef(`xdm.te', `
 		ifdef(`xauth.te', `
-			if (xdm_sysadm_login) {
+			tunable_policy(`xdm_sysadm_login',`
 				allow xdm_t $1_home_t:lnk_file read;
 				allow xdm_t $1_home_t:dir search;
-			}
+			')
 			allow $1_t xdm_t:fifo_file rw_file_perms;
 		')
 	')