From 659c8650c764e230cacafad17fec1190a6c7d436 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 17 Nov 2008 15:48:12 +0000
Subject: [PATCH] trunk 2 patches from dan.

---
 policy/modules/services/courier.fc |  1 +
 policy/modules/services/courier.te |  5 +++-
 policy/modules/services/dhcp.fc    |  1 +
 policy/modules/services/dhcp.if    | 40 ++++++++++++++++++++++++++++++
 policy/modules/services/dhcp.te    | 20 ++++++---------
 5 files changed, 54 insertions(+), 13 deletions(-)

diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 7a91fd24..f1bf79ae 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -20,4 +20,5 @@
 
 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
 
+/var/spool/authdaemon(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
 /var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 475e5097..d0080bad 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
 
-policy_module(courier, 1.6.1)
+policy_module(courier, 1.6.2)
 
 ########################################
 #
@@ -53,6 +53,9 @@ allow courier_authdaemon_t courier_tcpd_t:fd use;
 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
 
+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+files_search_spool(courier_authdaemon_t)
+
 corecmd_search_bin(courier_authdaemon_t)
 
 # for SSP
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 4d40b6b8..767e0c79 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/dhcpd	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 349b35d6..c3a50391 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -19,3 +19,43 @@ interface(`dhcpd_setattr_state_files',`
 	sysnet_search_dhcp_state($1)
 	allow $1 dhcpd_state_t:file setattr;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dhcp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dhcp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dhcpd_admin',`
+	gen_require(`
+		type dhcpd_t; type dhcpd_tmp_t;	type dhcpd_state_t;
+		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+	')
+
+	allow $1 dhcpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dhcpd_t)
+
+	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dhcpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, dhcpd_tmp_t)
+
+	admin_pattern($1, dhcpd_state_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dhcpd_var_run_t)
+')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index a81476ab..007ebc23 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
 
-policy_module(dhcp, 1.6.1)
+policy_module(dhcp, 1.6.2)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type dhcpd_t;
 type dhcpd_exec_t;
 init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
@@ -24,13 +27,12 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-allow dhcpd_t self:capability net_raw;
+allow dhcpd_t self:capability { net_raw sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 allow dhcpd_t self:tcp_socket create_stream_socket_perms;
 allow dhcpd_t self:udp_socket create_socket_perms;
 # Allow dhcpd_t to use packet sockets
@@ -51,6 +53,7 @@ files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
 
 kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
 
 corenet_all_recvfrom_unlabeled(dhcpd_t)
 corenet_all_recvfrom_netlabel(dhcpd_t)
@@ -88,11 +91,12 @@ files_read_usr_files(dhcpd_t)
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
+auth_use_nsswitch(dhcpd_t)
+
 logging_send_syslog_msg(dhcpd_t)
 
 miscfiles_read_localization(dhcpd_t)
 
-sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
@@ -112,14 +116,6 @@ optional_policy(`
 	dbus_connect_system_bus(dhcpd_t)
 ')
 
-optional_policy(`
-	nis_use_ypbind(dhcpd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(dhcpd_t)
-')
-
 optional_policy(`
 	seutil_sigchld_newrole(dhcpd_t)
 ')