more fixing

refpolicy/policy/global_tunables

@@ -135,6 +135,10 @@ gen_tunable(ssh_sysadm_login,false)
 ## dir and read files (such as ~/.bashrc)
 gen_tunable(staff_read_sysadm_file,false)
 
+## Configure stunnel to be a standalone daemon or
+## inetd service.
+gen_tunable(stunnel_is_daemon,false)
+
 ## Support NFS home directories
 gen_tunable(use_nfs_home_dirs,false)
 

refpolicy/policy/modules/admin/amanda.te

@@ -45,7 +45,7 @@ type amanda_script_exec_t;
 files_type(amanda_script_exec_t)
 
 # temp:
-typeattribute amanda_user_exec_t entry_type;
+typeattribute amanda_script_exec_t entry_type;
 
 # type for the shell configuration files 
 type amanda_shellconfig_t;

refpolicy/policy/modules/admin/usermanage.te

@@ -304,6 +304,9 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
+term_use_all_user_ttys(passwd_t)
+term_use_all_user_ptys(passwd_t)
+
 auth_manage_shadow(passwd_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate

refpolicy/policy/modules/kernel/kernel.te

@@ -166,6 +166,7 @@ allow kernel_t self:unix_stream_socket create_stream_socket_perms;
 allow kernel_t self:unix_dgram_socket sendto;
 allow kernel_t self:unix_stream_socket connectto;
 allow kernel_t self:fifo_file rw_file_perms;
+allow kernel_t self:sock_file r_file_perms;
 allow kernel_t self:fd use;
 
 # old general_proc_read_access():

refpolicy/policy/modules/services/apache.if

@@ -178,6 +178,13 @@ template(`apache_content_template',`
 		libs_read_lib(httpd_$1_script_t)
 
 		miscfiles_read_localization(httpd_$1_script_t)
+
+		# added back to make sediff nicer
+		dev_rw_null_dev(httpd_$1_script_t)
+		term_use_controlling_term(httpd_$1_script_t)
+		allow httpd_$1_script_t self:dir r_dir_perms;
+		allow httpd_$1_script_t self:file r_file_perms;
+		allow httpd_$1_script_t self:lnk_file read;
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`

refpolicy/policy/modules/services/apache.te

@@ -289,6 +289,10 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(httpd_t)
 	term_dontaudit_use_generic_pty(httpd_t)
 	files_dontaudit_read_root_file(httpd_t)
+
+	tunable_policy(`httpd_enable_homedirs',`
+		userdom_search_generic_user_home_dir(httpd_t)
+	')
 ')
 
 tunable_policy(`allow_httpd_anon_write',`
@@ -335,6 +339,9 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir create_dir_perms;
 	allow httpd_t httpdcontent:file create_file_perms;
 	allow httpd_t httpdcontent:lnk_file create_lnk_perms;
+
+	# make sediff easier
+	allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -407,17 +414,6 @@ optional_policy(`rhgb.te',`
 
 can_tcp_connect(web_client_domain, httpd_t)
 
-ifdef(`targeted_policy',`
-	if (httpd_enable_homedirs) {
-		allow httpd_t user_home_dir_t:dir { getattr search };
-	}
-	if (httpd_enable_homedirs) {
-		allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
-	}
-	if (httpd_enable_homedirs) {
-		allow httpd_suexec_t user_home_dir_t:dir { getattr search };
-	}
-')
 ') dnl end TODO
 
 ########################################
@@ -495,12 +491,17 @@ allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
 
-# cjp: need transitionbool
+ifdef(`targeted_policy',`
-domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+	gen_tunable(httpd_suexec_disable_trans,false)
-allow httpd_t httpd_suexec_t:fd use;
+
-allow httpd_suexec_t httpd_t:fd use;
+	tunable_policy(`httpd_suexec_disable_trans',`',`
-allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
+		domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-allow httpd_suexec_t httpd_t:process sigchld;
+		allow httpd_t httpd_suexec_t:fd use;
+		allow httpd_suexec_t httpd_t:fd use;
+		allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
+		allow httpd_suexec_t httpd_t:process sigchld;
+	')
+')
 
 allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
 allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
@@ -534,6 +535,12 @@ logging_send_syslog_msg(httpd_suexec_t)
 
 miscfiles_read_localization(httpd_suexec_t)
 
+ifdef(`targeted_policy',`
+	tunable_policy(`httpd_enable_homedirs',`
+		userdom_search_generic_user_home_dir(httpd_suexec_t)
+	')
+')
+
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_suexec_t self:udp_socket create_socket_perms;
@@ -555,6 +562,13 @@ tunable_policy(`httpd_can_network_connect',`
 
 tunable_policy(`httpd_enable_cgi',`
 	domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+	allow httpd_suexec_t httpd_unconfined_script_t:fd use;
+	allow httpd_unconfined_script_t httpd_suexec_t:fd use;
+	allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
+	allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
+
+	# make sediff happy
+	allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -619,6 +633,12 @@ ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file { getattr append };
 ')
 
+ifdef(`targeted_policy',`
+	tunable_policy(`httpd_enable_homedirs',`
+		userdom_search_generic_user_home_dir(httpd_sys_script_t)
+	')
+')
+
 optional_policy(`mysql.te',`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_socket(httpd_sys_script_t)

refpolicy/policy/modules/services/cups.te

@@ -598,8 +598,8 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(cupsd_config_t)
 ')
 
-optional_policy(`nis.te',`
+optional_policy(`hal.te',`
-	nis_use_ypbind(cupsd_config_t)
+	hal_domtrans(cupsd_config_t)
 ')
 
 optional_policy(`hostname.te',`
@@ -610,6 +610,10 @@ optional_policy(`logrotate.te',`
 	logrotate_use_fd(cupsd_config_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(cupsd_config_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(cupsd_config_t)
 ')

refpolicy/policy/modules/services/hal.if

@@ -1 +1,22 @@
 ## <summary>Hardware abstraction layer</summary>
+
+########################################
+## <summary>
+##	Execute hal in the hal domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hal_domtrans',`
+	gen_require(`
+		type hald_t, hald_exec_t;
+	')
+
+	domain_auto_trans($1,hald_exec_t,hald_t)
+
+	allow $1 hald_t:fd use;
+	allow hald_t $1:fd use;
+	allow hald_t $1:fifo_file rw_file_perms;
+	allow hald_t $1:process sigchld;
+')

refpolicy/policy/modules/services/hal.te

@@ -39,6 +39,7 @@ allow hald_t hald_tmp_t:file create_file_perms;
 files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
 
 allow hald_t hald_var_run_t:file create_file_perms;
+allow hald_t hald_var_run_t:dir rw_dir_perms;
 files_create_pid(hald_t,hald_var_run_t)
 
 kernel_read_system_state(hald_t)

refpolicy/policy/modules/services/inetd.if

@@ -32,15 +32,18 @@ interface(`inetd_core_service_domain',`
 
 	role system_r types $1;
 
-	allow inetd_t $1:process sigkill;
-
 	ifdef(`targeted_policy',`
 		# this regex is a hack, since it assumes there is a
 		# _t at the end of the domain type.  If there is no _t
 		# at the end of the type, it returns empty!
 		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
 		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
-			can_exec(inetd_t,$2)
+#			can_exec(inetd_t,$2)
+			# cjp: this must be wrong
+			gen_require(`
+				type initrc_t, unconfined_t;
+			')
+			can_exec({ unconfined_t initrc_t },$2)
 		} else {
 			domain_auto_trans(inetd_t,$2,$1)
 			allow inetd_t $1:fd use;
@@ -49,6 +52,8 @@ interface(`inetd_core_service_domain',`
 			allow $1 inetd_t:process sigchld;
 			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
+			allow inetd_t $1:process sigkill;
+
 			# make sediff happy
 			allow $1 $2:file { rx_file_perms entrypoint };
 		}
@@ -60,6 +65,8 @@ interface(`inetd_core_service_domain',`
 		allow $1 inetd_t:process sigchld;
 		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
 
+		allow inetd_t $1:process sigkill;
+
 		# make sediff happy
 		allow $1 $2:file { rx_file_perms entrypoint };
 	')

refpolicy/policy/modules/services/postfix.te

@@ -38,7 +38,10 @@ type postfix_map_tmp_t;
 files_tmp_file(postfix_map_tmp_t)
 
 postfix_domain_template(master)
-mta_mailserver(postfix_master_t,postfix_master_exec_t)
+typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
+mta_mailserver(postfix_t,postfix_master_exec_t)
 
 postfix_public_domain_template(pickup)
 

refpolicy/policy/modules/services/ppp.te

@@ -70,6 +70,10 @@ allow pppd_t self:udp_socket { connect connected_socket_perms };
 allow pppd_t self:packet_socket create_socket_perms;
 
 domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pppd_t pptp_t:fd use;
+allow pptp_t pppd_t:fd use;
+allow pptp_t pppd_t:fifo_file rw_file_perms;
+allow pptp_t pppd_t:process sigchld;
 
 allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
 
@@ -179,10 +183,10 @@ ifdef(`targeted_policy', `
 
 	optional_policy(`postfix.te',`
 		gen_require(`
-			bool postfix_master_disable_transgre;
+			bool postfix_disable_trans;
 		')
 
-		if(!postfix_master_disable_trans) {
+		if(!postfix_disable_trans) {
 			postfix_domtrans_master(pppd_t)
 		}
 	')

refpolicy/policy/modules/services/privoxy.te

@@ -30,6 +30,7 @@ allow privoxy_t privoxy_log_t:dir rw_dir_perms;
 logging_create_log(privoxy_t,privoxy_log_t)
 
 allow privoxy_t privoxy_var_run_t:file create_file_perms;
+allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
 files_create_pid(privoxy_t,privoxy_var_run_t)
 
 kernel_read_kernel_sysctl(privoxy_t)

refpolicy/policy/modules/services/stunnel.te

@@ -37,6 +37,7 @@ allow stunnel_t self:capability { setgid setuid sys_chroot };
 allow stunnel_t self:process signal_perms;
 allow stunnel_t self:fifo_file rw_file_perms;
 allow stunnel_t self:tcp_socket create_stream_socket_perms;
+allow stunnel_t self:udp_socket create_socket_perms;
 
 allow stunnel_t stunnel_etc_t:dir { getattr read search };
 allow stunnel_t stunnel_etc_t:file { read getattr };
@@ -138,3 +139,14 @@ ifdef(`distro_gentoo', `
         	nscd_use_socket(stunnel_t)
 	')
 ')
+
+tunable_policy(`stunnel_is_daemon',`
+	allow stunnel_t self:tcp_socket create_stream_socket_perms;
+
+	# hack since this port has no interfaces since it doesnt
+	# have net_contexts
+	gen_require(`
+		type stunnel_port_t;
+	')
+	allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+')

refpolicy/policy/modules/system/logging.te

@@ -187,7 +187,8 @@ rhgb_domain(auditd_t)
 #
 
 allow klogd_t klogd_tmp_t:file create_file_perms;
-files_create_tmp_files(klogd_t,klogd_tmp_t)
+allow klogd_t klogd_tmp_t:dir create_dir_perms;
+files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
 
 allow klogd_t klogd_var_run_t:file create_file_perms;
 
@@ -209,6 +210,8 @@ dev_read_sysfs(klogd_t)
 fs_getattr_all_fs(klogd_t)
 fs_search_auto_mountpoints(klogd_t)
 
+term_dontaudit_use_console(klogd_t)
+
 domain_use_wide_inherit_fd(klogd_t)
 
 files_create_pid(klogd_t,klogd_var_run_t)

refpolicy/policy/modules/system/modutils.te

@@ -50,6 +50,10 @@ allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
 
 can_exec(insmod_t, insmod_exec_t)
 
+# make sediff happy (no effect)
+dontaudit insmod_t self:process { noatsecure rlimitinh siginh };
+type_transition insmod_t insmod_exec_t:process insmod_t;
+
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
 kernel_mount_debugfs(insmod_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -273,6 +273,8 @@ dontaudit ifconfig_t self:capability sys_module;
 
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_file_perms;
+allow ifconfig_t self:sock_file r_file_perms;
+allow ifconfig_t self:socket create_socket_perms;
 allow ifconfig_t self:unix_dgram_socket create_socket_perms;
 allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
 allow ifconfig_t self:unix_dgram_socket sendto;

refpolicy/policy/modules/system/userdomain.if

@@ -2126,6 +2126,22 @@ interface(`userdom_create_generic_user_home_dir',`
 	files_create_home_dirs($1,user_home_dir_t)
 ')
 
+########################################
+## <summary>
+##	Search generic user home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_search_generic_user_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete