more low hanging fruit cleanup

refpolicy/policy/modules/admin/rpm.te

@@ -158,7 +158,9 @@ sysnet_read_config(rpm_t)
 
 userdom_use_unpriv_users_fd(rpm_t)
 
-#cron_transition_from(rpm,rpm_exec_t)
+optional_policy(`cron.te',`
+	cron_system_entry(rpm_t,rpm_exec_t)
+')
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(rpm_t)

refpolicy/policy/modules/kernel/devices.if

@@ -349,6 +349,25 @@ interface(`dev_manage_generic_symlinks',`
 	allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
 ')
 
+########################################
+## <summary>
+##	Relabel symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_relabel_generic_symlinks',`
+	gen_require(`
+		type device_t;
+		class dir r_dir_perms;
+		class lnk_file { relabelfrom relabelto };
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 device_t:lnk_file { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create, delete, read, and write device nodes in device directories.

refpolicy/policy/modules/kernel/storage.if

@@ -141,9 +141,9 @@ interface(`storage_create_fixed_disk_dev_entry',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Create, read, write, and delete fixed disk device nodes.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -160,6 +160,42 @@ interface(`storage_manage_fixed_disk',`
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 
+########################################
+## <summary>
+##	Relabel fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`storage_relabel_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+		class blk_file { relabelfrom relabelto };
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Enable a fixed disk device as swap space
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`storage_swapon_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+		class blk_file { getattr swapon };
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file { getattr swapon };
+')
+
 ########################################
 ## <desc>
 ##	Allow the caller to directly read from a logical volume.

refpolicy/policy/modules/services/cron.if

@@ -269,9 +269,46 @@ template(`cron_admin_template',`
 ')
 
 ########################################
+## <summary>
+##	Make the specified program domain accessable
+##	from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	The type of the process to transition to.
+## </param>
+## <param name="entrypoint">
+##	The type of the file used as an entrypoint to this domain.
+## </param>
 #
-# cron_rw_log(domain)
+interface(`cron_system_entry',`
-#
+	gen_require(`
+		type crond_t, system_crond_t;
+		class fd use;
+		class fifo_file rw_file_perms;
+		class process sigchld;
+	')
+
+	domain_auto_trans(system_crond_t, $2, $1)
+
+	# cjp: perhaps these four rules from the old
+	# domain_auto_trans are not needed?
+	allow system_crond_t $1:fd use;
+	allow $1 system_crond_t:fd use;
+	allow $1 system_crond_t:fifo_file rw_file_perms;
+	allow $1 system_crond_t:process sigchld;
+
+	allow $1 crond_t:fifo_file { getattr read write ioctl };
+	allow $1 crond_t:fd use;
+	allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read and write the cron daemon log files.
+## </summary>
+## <param name="domain">
+##	The type of the process to performing this action.
+## </param>
 interface(`cron_rw_log',`
 	gen_require(`
 		type crond_log_t;

refpolicy/policy/modules/services/cron.te

@@ -249,11 +249,8 @@ dev_read_urand(system_crond_t)
 fs_getattr_all_fs(system_crond_t)
 fs_getattr_all_files(system_crond_t)
 
-init_use_fd(system_crond_t)
+corecmd_exec_bin(system_crond_t)
-init_use_script_fd(system_crond_t)
+corecmd_exec_sbin(system_crond_t)
-init_use_script_pty(system_crond_t)
-init_read_script_pid(system_crond_t)
-init_dontaudit_rw_script_pid(system_crond_t)
 
 domain_exec_all_entry_files(system_crond_t)
 
@@ -263,14 +260,20 @@ files_read_etc_runtime_files(system_crond_t)
 files_list_all_dirs(system_crond_t)
 files_getattr_all_files(system_crond_t)
 files_read_usr_files(system_crond_t)
+files_read_var_file(system_crond_t)
 # for nscd:
 files_dontaudit_search_pids(system_crond_t)
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
 files_manage_spools(system_crond_t)
 
-corecmd_exec_bin(system_crond_t)
+init_use_fd(system_crond_t)
-corecmd_exec_sbin(system_crond_t)
+init_use_script_fd(system_crond_t)
+init_use_script_pty(system_crond_t)
+init_read_script_pid(system_crond_t)
+init_dontaudit_rw_script_pid(system_crond_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_write_initctl(system_crond_t)
 
 libs_use_ld_so(system_crond_t)
 libs_use_shared_libs(system_crond_t)
@@ -314,12 +317,6 @@ dontaudit system_crond_t unlabeled_t:file r_file_perms;
 
 allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 
-# prelink tells init to restart it self, we either need to allow or dontaudit
-allow system_crond_t initctl_t:fifo_file write;
-
-allow system_crond_t var_t:dir r_dir_perms;
-allow system_crond_t var_t:file r_file_perms;
-
 # Write to /var/lib/slocate.db.
 allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;

refpolicy/policy/modules/system/fstools.te

@@ -53,6 +53,9 @@ dev_read_urand(fsadm_t)
 dev_manage_generic_symlinks(fsadm_t)
 # Access to /initrd devices
 dev_search_usbfs(fsadm_t)
+# for swapon
+dev_getattr_sysfs_dir(fsadm_t)
+dev_search_sysfs(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
@@ -64,6 +67,7 @@ storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
 storage_raw_write_removable_device(fsadm_t)
 storage_read_scsi_generic(fsadm_t)
+storage_swapon_fixed_disk(fsadm_t)
 
 domain_use_wide_inherit_fd(fsadm_t)
 
@@ -93,14 +97,16 @@ seutil_read_config(fsadm_t)
 
 userdom_use_unpriv_users_fd(fsadm_t)
 
+optional_policy(`cron.te',`
+	# for smartctl cron jobs
+	cron_system_entry(fsadm_t,fsadm_exec_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(fsadm_t)
 ')
 
 ifdef(`TODO',`
-# for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
-
 # for /dev/shm
 allow fsadm_t tmpfs_t:dir { getattr search };
 
@@ -126,15 +132,9 @@ allow fsadm_t file_t:dir { search read getattr rmdir create };
 # Recreate /mnt/cdrom.
 allow fsadm_t mnt_t:dir { rmdir create };
 
-# Enable swapping to devices and files
-allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
-
 # Access terminals.
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 
-# for smartctl cron jobs
-system_crond_entry(fsadm_exec_t, fsadm_t)
-
 # Access to /initrd devices
 allow fsadm_t unlabeled_t:dir rw_dir_perms;
 allow fsadm_t unlabeled_t:blk_file rw_file_perms;

refpolicy/policy/modules/system/init.if

@@ -158,6 +158,20 @@ interface(`init_dontaudit_getattr_initctl',`
 	dontaudit $1 initctl_t:fifo_file getattr;
 ')
 
+########################################
+#
+# init_write_initctl(domain)
+#
+interface(`init_write_initctl',`
+	gen_require(`
+		type initctl_t;
+		class fifo_file write;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file write;
+')
+
 ########################################
 #
 # init_use_initctl(domain)

refpolicy/policy/modules/system/lvm.te

@@ -92,17 +92,21 @@ dev_manage_generic_blk_file(lvm_t)
 dev_read_sysfs(lvm_t)
 # Read /sys/block. Device mapper metadata is kept there.
 dev_read_sysfs(sysfs_t)
+# cjp: this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
+# perhaps this should be blk_files?
+dev_relabel_generic_symlinks(lvm_t)
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
 dev_dontaudit_getattr_all_chr_files(lvm_t)
 dev_dontaudit_getattr_all_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_chr_file(lvm_t)
 dev_dontaudit_getattr_generic_blk_file(lvm_t)
 dev_dontaudit_getattr_generic_pipe(lvm_t)
-term_dontaudit_getattr_all_user_ttys(lvm_t)
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 
+storage_relabel_fixed_disk(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
 # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
@@ -111,6 +115,8 @@ storage_create_fixed_disk_dev_entry(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 
+term_dontaudit_getattr_all_user_ttys(lvm_t)
+
 corecmd_search_sbin(lvm_t)
 corecmd_dontaudit_getattr_sbin_file(lvm_t)
 
@@ -159,11 +165,6 @@ optional_policy(`udev.te', `
 
 ifdef(`TODO',`
 allow lvm_t default_context_t:dir search;
-allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
-
-# cjp: ? this has no effect since LVM does not
-# have lnk_file relabelto for anything else.
-allow lvm_t device_t:lnk_file { relabelfrom relabelto };
 
 dontaudit lvm_t var_run_t:dir getattr;
 
@@ -175,10 +176,8 @@ optional_policy(`gpm.te', `
 	dontaudit lvm_t gpmctl_t:sock_file getattr;
 ')
 
-optional_policy(`rhgb.te', `
+optional_policy(`rhgb.te',`
-	allow $1_t rhgb_t:process sigchld;
+rhgb_domain(lvm_t)
-	allow $1_t rhgb_t:fd use;
-	allow $1_t rhgb_t:fifo_file { read write };
 ')
 
 ') dnl end TODO