From 9461b606575dc43ac1b3d634b96ae22504e130a8 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 15 Sep 2010 11:31:20 -0400
Subject: [PATCH] Add the ability to send audit messages to confined admin
 policies Remove permissive domain from cmirrord and dontaudit sys_tty_config
 Split out unconfined_domain() calls from other unconfined_ calls so we can
 disable unconfined.pp and leave unconfineduser virt needs to be able to read
 processes to clearance for MLS

---
 policy/modules/roles/dbadm.te       | 1 +
 policy/modules/roles/webadm.te      | 1 +
 policy/modules/services/cmirrord.te | 3 +--
 policy/modules/services/cron.te     | 7 +++++--
 policy/modules/services/tgtd.te     | 2 ++
 policy/modules/services/virt.te     | 1 +
 policy/modules/system/userdomain.fc | 1 +
 policy/modules/system/userdomain.if | 6 +++---
 8 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 20d93338..e9c9277d 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)
 
 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
 
 userdom_dontaudit_search_user_home_dirs(dbadm_t)
 
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0ecc7862..dbf27107 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
 seutil_domtrans_setfiles(webadm_t)
 
 logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
 
 userdom_dontaudit_search_user_home_dirs(webadm_t)
 
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
index 1e4adfaf..bb7d429b 100644
--- a/policy/modules/services/cmirrord.te
+++ b/policy/modules/services/cmirrord.te
@@ -9,8 +9,6 @@ type cmirrord_t;
 type cmirrord_exec_t;
 init_daemon_domain(cmirrord_t, cmirrord_exec_t)
 
-permissive cmirrord_t;
-
 type cmirrord_initrc_exec_t;
 init_script_file(cmirrord_initrc_exec_t)
 
@@ -26,6 +24,7 @@ files_pid_file(cmirrord_var_run_t)
 #
 
 allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process signal;
 
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index c72dd92b..ff1a1c99 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -579,10 +579,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_dbus_send(crond_t)
-	unconfined_shell_domtrans(crond_t)
 	unconfined_domain(crond_t)
 	unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(crond_t)
+	unconfined_dbus_send(crond_t)
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index 108631e1..678ab903 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -57,6 +57,8 @@ corenet_tcp_bind_generic_node(tgtd_t)
 corenet_tcp_bind_iscsi_port(tgtd_t)
 corenet_sendrecv_iscsi_server_packets(tgtd_t)
 
+dev_search_sysfs(tgtd_t)
+
 files_read_etc_files(tgtd_t)
 
 fs_read_anon_inodefs_files(tgtd_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index f38e1ce3..91a1d0aa 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -321,6 +321,7 @@ fs_rw_hugetlbfs_files(virtd_t)
 mls_fd_share_all_levels(virtd_t)
 mls_file_read_to_clearance(virtd_t)
 mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
 mls_process_write_to_clearance(virtd_t)
 mls_net_write_within_range(virtd_t)
 mls_socket_write_to_clearance(virtd_t)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 4d34e8e6..392d1eef 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -14,3 +14,4 @@ HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.gvfs(/.*)?	<<none>>
+HOME_DIR/\.debug(/.*)?	<<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c67c8e8a..45882b2d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -123,6 +123,9 @@ template(`userdom_base_user_template',`
 	auth_use_nsswitch($1_usertype)
 
 	init_stream_connect($1_usertype)
+	# The library functions always try to open read-write first,
+	# then fall back to read-only if it fails. 
+	init_dontaudit_rw_utmp($1_usertype)
 
 	libs_exec_ld_so($1_usertype)
 
@@ -886,9 +889,6 @@ template(`userdom_login_user_template', `
 	auth_dontaudit_write_login_records($1_t)
 	auth_rw_cache($1_t)
 
-	# The library functions always try to open read-write first,
-	# then fall back to read-only if it fails. 
-	init_dontaudit_rw_utmp($1_usertype)
 	# Stop warnings about access to /dev/console
 	init_dontaudit_use_fds($1_usertype)
 	init_dontaudit_use_script_fds($1_usertype)