From 93f445b8c092613ffd7e2e2a20e22b4133304a0d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 20 Aug 2008 19:45:39 +0000
Subject: [PATCH] trunk: firstboot update from dan.

---
 policy/modules/admin/firstboot.if | 19 +++++++++++++++++++
 policy/modules/admin/firstboot.te | 12 +++---------
 policy/modules/services/ntp.te    |  3 ++-
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 6b6b9fa6..402cc7ac 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -142,3 +142,22 @@ interface(`firstboot_dontaudit_rw_pipes',`
 
 	dontaudit $1 firstboot_t:fifo_file { read write };
 ')
+
+########################################
+## <summary>
+## 	Do not audit attemps to read and write to a firstboot
+##	unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 93a9c3b7..2b56ed7d 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
 
-policy_module(firstboot, 1.7.0)
+policy_module(firstboot, 1.7.1)
 
 gen_require(`
 	class passwd rootok;
@@ -35,9 +35,6 @@ allow firstboot_t self:passwd rootok;
 
 allow firstboot_t firstboot_etc_t:file { getattr read };
 
-# The big hammer
-unconfined_domain(firstboot_t) 
-
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
 
@@ -63,7 +60,6 @@ corecmd_exec_all_executables(firstboot_t)
 files_exec_etc_files(firstboot_t)
 files_manage_etc_files(firstboot_t)
 files_manage_etc_runtime_files(firstboot_t)
-files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
 files_read_usr_files(firstboot_t)
 files_manage_var_dirs(firstboot_t)
 files_manage_var_files(firstboot_t)
@@ -110,6 +106,8 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_domtrans(firstboot_t)
+	# The big hammer
+	unconfined_domain(firstboot_t) 
 ')
 
 optional_policy(`
@@ -131,8 +129,4 @@ ifdef(`userhelper.te', `
 	role system_r types sysadm_userhelper_t;
 	domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
 ')
-
-ifdef(`xserver.te', `
-	domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
 ') dnl end TODO
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index f10ed7de..1b518010 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.6.0)
+policy_module(ntp, 1.6.1)
 
 ########################################
 #
@@ -117,6 +117,7 @@ optional_policy(`
 optional_policy(`
 	firstboot_dontaudit_use_fds(ntpd_t)
 	firstboot_dontaudit_rw_pipes(ntpd_t)
+	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
 ')
 
 optional_policy(`