* break up files_getattr_all_files into correct interfaces

* move stuff out of pcmcia into the appropriate modules

refpolicy/policy/modules/kernel/devices.if

@@ -812,6 +812,24 @@ interface(`dev_rw_apm_bios',`
 	allow $1 apm_bios_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_rw_cardmgr',`
+	gen_require(`
+		type cardmgr_dev_t;
+		class chr_file { read write };
+	')
+
+	dontaudit $1 cardmgr_dev_t:chr_file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Read the CPU identity.

refpolicy/policy/modules/services/cron.te

@@ -259,7 +259,11 @@ files_exec_etc_files(system_crond_t)
 files_read_etc_files(system_crond_t)
 files_read_etc_runtime_files(system_crond_t)
 files_list_all_dirs(system_crond_t)
+files_getattr_all_dirs(system_crond_t)
 files_getattr_all_files(system_crond_t)
+files_getattr_all_symlinks(system_crond_t)
+files_getattr_all_pipes(system_crond_t)
+files_getattr_all_sockets(system_crond_t)
 files_read_usr_files(system_crond_t)
 files_read_var_files(system_crond_t)
 # for nscd:

refpolicy/policy/modules/system/files.if

@@ -104,27 +104,185 @@ interface(`files_tmpfs_file',`
 	typeattribute $1 tmpfsfile;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir { getattr search };
+	')
+
+	allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir getattr;
+	')
+
+	dontaudit $1 file_type:dir getattr;
+')
+
 ########################################
 #
 # files_getattr_all_files(domain)
-
+#
 interface(`files_getattr_all_files',`
 	gen_require(`
 		attribute file_type;
-		class dir { search getattr };
+		class dir search;
 		class file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute file_type;
+		class file getattr;
+	')
+
+	dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
 		class lnk_file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class lnk_file getattr;
+	')
+
+	dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
 		class fifo_file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+		class fifo_file getattr;
+	')
+
+	dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
 		class sock_file getattr;
 	')
 
-	allow $1 file_type:dir { search getattr };
-	allow $1 file_type:file getattr;
-	allow $1 file_type:lnk_file getattr;
-	allow $1 file_type:fifo_file getattr;
+	allow $1 file_type:dir search;
 	allow $1 file_type:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named sockets.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+		class sock_file getattr;
+	')
+
+	dontaudit $1 file_type:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Relabel all files on the filesystem, except

refpolicy/policy/modules/system/init.te

@@ -264,7 +264,11 @@ domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
 
+files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
+files_getattr_all_symlinks(initrc_t)
+files_getattr_all_pipes(initrc_t)
+files_getattr_all_sockets(initrc_t)
 files_delete_all_tmp_files(initrc_t)
 files_delete_all_locks(initrc_t)
 files_read_all_pids(initrc_t)

refpolicy/policy/modules/system/modutils.te

@@ -103,6 +103,10 @@ logging_search_logs(insmod_t)
 
 miscfiles_read_localization(insmod_t)
 
+ifdef(`hide_broken_symptoms',`
+	dev_dontaudit_rw_cardmgr(insmod_t)
+')
+
 optional_policy(`mount.te',`
 	mount_domtrans(insmod_t)
 ')

refpolicy/policy/modules/system/pcmcia.if

@@ -1,5 +1,29 @@
 ## <summary>PCMCIA card management services</summary>
 
+########################################
+## <summary>
+##	Execute cardmgr in the cardmgr domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`pcmcia_domtrans_cardmgr',`
+	gen_require(`
+		type cardmgr_t, cardmgr_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
+
+	allow $1 cardmgr_t:fd use;
+	allow cardmgr_t $1:fd use;
+	allow cardmgr_t $1:fifo_file rw_file_perms;
+	allow cardmgr_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Execute cardctl in the cardmgr domain.

refpolicy/policy/modules/system/pcmcia.te

@@ -43,8 +43,11 @@ kernel_read_system_state(cardmgr_t)
 kernel_read_kernel_sysctl(cardmgr_t)
 kernel_list_proc(cardmgr_t)
 kernel_read_proc_symlinks(cardmgr_t)
+kernel_dontaudit_getattr_message_if(cardmgr_t)
 
 dev_read_sysfs(cardmgr_t)
+dev_getattr_all_chr_files(cardmgr_t)
+dev_getattr_all_blk_files(cardmgr_t)
 # for SSP
 dev_read_urand(cardmgr_t)
 
@@ -52,6 +55,7 @@ fs_getattr_all_fs(cardmgr_t)
 fs_search_auto_mountpoints(cardmgr_t)
 
 term_use_unallocated_tty(cardmgr_t)
+term_getattr_all_user_ttys(cardmgr_t)
 term_dontaudit_use_console(cardmgr_t)
 
 corecmd_exec_bin(cardmgr_t)
@@ -59,10 +63,18 @@ corecmd_exec_sbin(cardmgr_t)
 
 domain_use_wide_inherit_fd(cardmgr_t)
 domain_exec_all_entry_files(cardmgr_t)
+# cjp: these look excessive:
+domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
 
 files_search_home(cardmgr_t)
 files_read_etc_runtime_files(cardmgr_t)
 files_exec_etc_files(cardmgr_t)
+# cjp: these look excessive:
+files_dontaudit_getattr_all_dirs(cardmgr_t)
+files_dontaudit_getattr_all_files(cardmgr_t)
+files_dontaudit_getattr_all_symlinks(cardmgr_t)
+files_dontaudit_getattr_all_pipes(cardmgr_t)
+files_dontaudit_getattr_all_sockets(cardmgr_t)
 
 init_use_fd(cardmgr_t)
 init_use_script_pty(cardmgr_t)
@@ -116,21 +128,17 @@ file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t },
 
 # Read /proc/PID directories for all domains (for fuser).
 can_ps(cardmgr_t, domain)
-allow cardmgr_t device_type:{ chr_file blk_file } getattr;
-allow cardmgr_t ttyfile:chr_file getattr;
+
 dontaudit cardmgr_t ptyfile:chr_file getattr;
-dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
-dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
-dontaudit cardmgr_t proc_kmsg_t:file getattr;
+# cjp: these look excessive:
+dontaudit cardmgr_t domain:socket_class_set getattr;
 
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+# this goes to apm
+optional_policy(`pcmcia.te',`
+	pcmcia_domtrans_cardmgr(apmd_t)
+	pcmcia_domtrans_cardctl(apmd_t)
 ')
 
-ifdef(`hide_broken_symptoms', `
-dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
-dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
-')
 ifdef(`hald.te', `
 rw_dir_file(hald_t, cardmgr_var_run_t)
 allow hald_t cardmgr_var_run_t:chr_file create_file_perms;

refpolicy/policy/modules/system/sysnetwork.te

@@ -285,7 +285,13 @@ seutil_use_runinit_fd(ifconfig_t)
 userdom_use_all_user_fd(ifconfig_t)
 
 ifdef(`hide_broken_symptoms',`
-	udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+	optional_policy(`pcmcia.te',`
+		dev_dontaudit_rw_cardmgr(ifconfig_t)
+	')
+
+	optional_policy(`udev.te',`
+		udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+	')
 ')
 
 optional_policy(`nis.te',`