fix most disable_trans errors

refpolicy/Makefile

@@ -71,7 +71,7 @@ MONOLITHIC=y
 PREFIX := /usr
 BINDIR := $(PREFIX)/bin
 SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy
 CHECKMODULE := $(BINDIR)/checkmodule
 SEMOD_PKG := $(BINDIR)/semodule_package
 LOADPOLICY := $(SBINDIR)/load_policy

refpolicy/policy/modules/services/cpucontrol.te

@@ -8,14 +8,14 @@ policy_module(cpucontrol,1.0)
 
 type cpucontrol_t;
 type cpucontrol_exec_t;
-init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
+init_system_domain(cpucontrol_t,cpucontrol_exec_t)
 
 type cpucontrol_conf_t;
 files_type(cpucontrol_conf_t)
 
 type cpuspeed_t;
 type cpuspeed_exec_t;
-init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
+init_system_domain(cpuspeed_t,cpuspeed_exec_t)
 
 ########################################
 #
@@ -61,6 +61,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(cpucontrol_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(cpucontrol_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(cpucontrol_t)
 ')
@@ -117,6 +121,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(cpuspeed_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(cpuspeed_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(cpuspeed_t)
 ')

refpolicy/policy/modules/services/finger.te

@@ -7,7 +7,7 @@ policy_module(finger,1.0)
 #
 type fingerd_t;
 type fingerd_exec_t;
-init_daemon_domain(fingerd_t,fingerd_exec_t)
+init_system_domain(fingerd_t,fingerd_exec_t)
 inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
 
 type fingerd_etc_t;

refpolicy/policy/modules/services/inetd.if

@@ -32,14 +32,37 @@ interface(`inetd_core_service_domain',`
 
 	role system_r types $1;
 
-	domain_auto_trans(inetd_t,$2,$1)
-
-	allow $1 inetd_t:fd use;
-	allow inetd_t $1:fd use;
-	allow $1 inetd_t:fifo_file rw_file_perms;
-	allow $1 inetd_t:process sigchld;
-
 	allow inetd_t $1:process sigkill;
+
+	ifdef(`targeted_policy',`
+		# this regex is a hack, since it assumes there is a
+		# _t at the end of the domain type.  If there is no _t
+		# at the end of the type, it returns empty!
+		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+			can_exec(inetd_t,$2)
+		} else {
+			domain_auto_trans(inetd_t,$2,$1)
+			allow inetd_t $1:fd use;
+			allow $1 inetd_t:fd use;
+			allow $1 inetd_t:fifo_file rw_file_perms;
+			allow $1 inetd_t:process sigchld;
+			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+			# make sediff happy
+			allow $1 $2:file { rx_file_perms entrypoint };
+		}
+	',`
+		domain_auto_trans(inetd_t,$2,$1)
+		allow inetd_t $1:fd use;
+		allow $1 inetd_t:fd use;
+		allow $1 inetd_t:fifo_file rw_file_perms;
+		allow $1 inetd_t:process sigchld;
+		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+		# make sediff happy
+		allow $1 $2:file { rx_file_perms entrypoint };
+	')
 ')
 
 ########################################

refpolicy/policy/modules/services/tftp.te

@@ -8,7 +8,7 @@ policy_module(tftp,1.0)
 
 type tftpd_t;
 type tftpd_exec_t;
-init_daemon_domain(tftpd_t,tftpd_exec_t)
+init_system_domain(tftpd_t,tftpd_exec_t)
 inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
 
 type tftpd_var_run_t;

refpolicy/policy/modules/system/init.if

@@ -99,6 +99,9 @@ interface(`init_daemon_domain',`
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
 			allow initrc_t $1:process { noatsecure siginh rlimitinh };
+
+			# make sediff happy
+			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
@@ -107,6 +110,9 @@ interface(`init_daemon_domain',`
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
 		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+
+		# make sediff happy
+		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 
 	optional_policy(`nscd.te',`

refpolicy/policy/modules/system/unconfined.te

@@ -49,4 +49,5 @@ ifdef(`targeted_policy',`
 	')
 
 	') dnl end TODO
+	typeattribute unconfined_t direct_run_init;
 ')