From 6f11d6b894d04db67cbf6d252b702a5271b1aba3 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 4 Jan 2006 19:31:53 +0000
Subject: [PATCH] add readahead

---
 refpolicy/Changelog                          |  1 +
 refpolicy/policy/modules/admin/readahead.fc  |  4 ++
 refpolicy/policy/modules/admin/readahead.if  |  1 +
 refpolicy/policy/modules/admin/readahead.te  | 72 ++++++++++++++++++++
 refpolicy/policy/modules/kernel/files.if     | 38 ++++++++++-
 refpolicy/policy/modules/system/authlogin.te |  2 +-
 6 files changed, 115 insertions(+), 3 deletions(-)
 create mode 100644 refpolicy/policy/modules/admin/readahead.fc
 create mode 100644 refpolicy/policy/modules/admin/readahead.if
 create mode 100644 refpolicy/policy/modules/admin/readahead.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 1a9c1e06..530ba5c3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -7,6 +7,7 @@
 	ddcprobe
 	fetchmail
 	openct
+	readahead
 	smartmon
 	sysstat
 	vbetool (Dan Walsh)
diff --git a/refpolicy/policy/modules/admin/readahead.fc b/refpolicy/policy/modules/admin/readahead.fc
new file mode 100644
index 00000000..26c1128e
--- /dev/null
+++ b/refpolicy/policy/modules/admin/readahead.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/readahead	--	gen_context(system_u:object_r:readahead_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/readahead.if b/refpolicy/policy/modules/admin/readahead.if
new file mode 100644
index 00000000..47c4723c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/readahead.if
@@ -0,0 +1 @@
+## <summary>Readahead, read files into page cache for improved performance</summary>
diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te
new file mode 100644
index 00000000..ac097eaa
--- /dev/null
+++ b/refpolicy/policy/modules/admin/readahead.te
@@ -0,0 +1,72 @@
+
+policy_module(readahead,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type readahead_t;
+type readahead_exec_t;
+init_daemon_domain(readahead_t,readahead_exec_t)
+
+type readahead_var_run_t;
+files_pid_file(readahead_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit readahead_t self:capability sys_tty_config;
+allow readahead_t self:process signal_perms;
+
+allow readahead_t readahead_var_run_t:file create_file_perms;
+allow readahead_t readahead_var_run_t:dir rw_dir_perms;
+files_create_pid(readahead_t,readahead_var_run_t)
+
+kernel_read_kernel_sysctl(readahead_t)
+kernel_read_system_state(readahead_t)
+
+dev_read_sysfs(readahead_t)
+dev_getattr_generic_chr_file(readahead_t)
+dev_getattr_generic_blk_file(readahead_t)
+dev_getattr_all_chr_files(readahead_t)
+dev_getattr_all_blk_files(readahead_t)
+dev_dontaudit_read_all_blk_files(readahead_t)
+
+domain_use_wide_inherit_fd(readahead_t)
+
+files_dontaudit_getattr_all_sockets(readahead_t)
+files_list_non_security(readahead_t)
+files_read_non_security_files(readahead_t)
+
+fs_getattr_all_fs(readahead_t)
+fs_search_auto_mountpoints(readahead_t)
+
+term_dontaudit_use_console(readahead_t)
+
+auth_dontaudit_read_shadow(readahead_t)
+
+init_use_fd(readahead_t)
+init_use_script_pty(readahead_t)
+
+libs_use_ld_so(readahead_t)
+libs_use_shared_libs(readahead_t)
+
+logging_send_syslog_msg(readahead_t)
+
+miscfiles_read_localization(readahead_t)
+
+userdom_dontaudit_use_unpriv_user_fd(readahead_t)
+userdom_dontaudit_search_sysadm_home_dir(readahead_t)
+
+ifdef(`targeted_policy',`
+	files_dontaudit_read_root_file(readahead_t)
+	term_dontaudit_use_unallocated_tty(readahead_t)
+	term_dontaudit_use_generic_pty(readahead_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(readahead_t)
+')
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 74c154fc..91ab7c34 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -308,10 +308,26 @@ interface(`files_list_all',`
 	allow $1 file_type:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	List all non-security directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_non_security',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to list all
-##	non security directories.
+##	non-security directories.
 ## </summary>
 ## <param name="domain">
 ##	Domain to not audit.
@@ -420,6 +436,24 @@ interface(`files_read_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Read all non-security files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_non_security_files',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	allow $1 { file_type -security_file_type }:dir search_dir_perms;
+	allow $1 { file_type -security_file_type }:file r_file_perms;
+	allow $1 { file_type -security_file_type }:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Read all directories on the filesystem, except
@@ -466,7 +500,7 @@ interface(`files_read_all_files_except',`
 
 ########################################
 ## <summary>
-##	Read all symbloic links on the filesystem, except
+##	Read all symbolic links on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index e67be670..0cc11044 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -48,7 +48,7 @@ type pam_var_run_t;
 files_pid_file(pam_var_run_t)
 
 type shadow_t;
-files_type(shadow_t)
+files_security_file(shadow_t)
 neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;