From 9d3bdc25af6aa6d22c9bf5bdba0e235f93ba7078 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 1 Sep 2005 20:13:42 +0000
Subject: [PATCH] fix bugs uncovered from sediff

---
 refpolicy/policy/modules/admin/acct.te           |  2 +-
 refpolicy/policy/modules/admin/consoletype.te    |  3 +--
 refpolicy/policy/modules/admin/logrotate.te      |  2 +-
 refpolicy/policy/modules/admin/rpm.te            |  6 +++---
 refpolicy/policy/modules/admin/sudo.if           |  2 +-
 refpolicy/policy/modules/admin/usermanage.te     | 11 ++++++-----
 refpolicy/policy/modules/kernel/bootloader.te    |  2 +-
 refpolicy/policy/modules/services/cron.te        |  2 +-
 refpolicy/policy/modules/services/remotelogin.te |  2 +-
 refpolicy/policy/modules/services/ssh.if         |  2 +-
 refpolicy/policy/modules/system/authlogin.te     |  2 +-
 refpolicy/policy/modules/system/domain.if        |  2 +-
 refpolicy/policy/modules/system/fstools.te       |  2 +-
 refpolicy/policy/modules/system/init.te          |  1 +
 refpolicy/policy/modules/system/locallogin.te    |  6 +++---
 refpolicy/policy/modules/system/logging.te       |  2 +-
 refpolicy/policy/modules/system/selinuxutil.te   |  2 +-
 refpolicy/policy/modules/system/sysnetwork.te    |  2 +-
 refpolicy/policy/modules/system/udev.te          |  2 +-
 refpolicy/policy/modules/system/userdomain.if    |  2 +-
 20 files changed, 29 insertions(+), 28 deletions(-)

diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 88b7c599..5696994d 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -53,7 +53,7 @@ domain_use_wide_inherit_fd(acct_t)
 files_read_etc_files(acct_t)
 files_read_etc_runtime_files(acct_t)
 # for nscd
-files_dontaudit_getattr_pid_dir(acct_t)
+files_dontaudit_search_pids(acct_t)
 
 init_use_fd(acct_t)
 init_use_script_pty(acct_t)
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 1c751aa8..eefeb836 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -18,8 +18,7 @@ role system_r types consoletype_t;
 #
 
 allow consoletype_t self:capability sys_admin;
-
-allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_file_perms;
 allow consoletype_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index c11e1a4b..911bca8f 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -30,7 +30,7 @@ allow logrotate_t self:capability { chown dac_override dac_read_search kill fset
 # for mailx
 dontaudit logrotate_t self:capability { setuid setgid };
 
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 
 # Set a context other than the default one for newly created files.
 allow logrotate_t self:process setfscreate;
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index eef0d058..a8864e3b 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -55,8 +55,8 @@ domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
 # rpm Local policy
 #
 
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
 allow rpm_t self:fifo_file rw_file_perms;
@@ -204,7 +204,7 @@ allow rpm_t sysadm_gph_t:fd use;
 #
 
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_file_perms;
 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 17fd5f24..5a83ccdd 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -51,7 +51,7 @@ template(`sudo_per_userdomain_template',`
 
 	# Use capabilities.
 	allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
-	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
 	allow $1_sudo_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index d2b0a156..72a63653 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -18,6 +18,7 @@ type chfn_exec_t;
 domain_entry_file(chfn_t,chfn_exec_t)
 
 type crack_t;
+domain_type(crack_t)
 role system_r types crack_t;
 
 type crack_exec_t;
@@ -63,7 +64,7 @@ role system_r types useradd_t;
 #
 
 allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow chfn_t self:process { setrlimit setfscreate };
 allow chfn_t self:fd use;
 allow chfn_t self:fifo_file rw_file_perms;
@@ -195,7 +196,7 @@ dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
 
 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
 dontaudit groupadd_t self:capability fsetid;
-allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_file_perms;
@@ -279,7 +280,7 @@ dontaudit groupadd_t sysadm_home_dir_t:dir search;
 #
 
 allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
 allow passwd_t self:fd use;
 allow passwd_t self:fifo_file rw_file_perms;
@@ -368,7 +369,7 @@ dontaudit passwd_t var_run_t:dir search;
 #
 
 allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
 allow sysadm_passwd_t self:fifo_file rw_file_perms;
@@ -466,7 +467,7 @@ dontaudit sysadm_passwd_t selinux_config_t:dir search;
 #
 
 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index be803e67..08aa3013 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -99,7 +99,7 @@ storage_raw_read_removable_device(bootloader_t)
 storage_raw_write_removable_device(bootloader_t)
 
 dev_getattr_all_chr_files(bootloader_t)
-dev_setattr_all_blk_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
 dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 1213e091..cba03eaf 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
 
 allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process setexec;
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 27f01c9d..8f6084c3 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -24,7 +24,7 @@ files_tmp_file(remote_login_tmp_t)
 #
 
 allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow remote_login_t self:process { setrlimit setexec };
 allow remote_login_t self:fd use;
 allow remote_login_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 9b7ada4d..4489fdcd 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -49,7 +49,7 @@ template(`ssh_per_userdomain_template',`
 	# $1_ssh_t local policy
 	#
 	allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
-	allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+	allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_ssh_t self:fd use;
 	allow $1_ssh_t self:fifo_file { read getattr lock ioctl write append };
 	allow $1_ssh_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0e68a81a..f8049982 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -70,7 +70,7 @@ logging_log_file(wtmp_t)
 # PAM local policy
 #
 
-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 dontaudit pam_t self:capability sys_tty_config;
 
 allow pam_t self:fd use;
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 3cbb4f4b..7aab5d02 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -412,7 +412,7 @@ interface(`domain_dontaudit_getsession_all_domains',`
 		class process getsession;
 	')
 
-	allow $1 domain:process getsession;
+	dontaudit $1 domain:process getsession;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 4331448d..f4b01909 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -24,7 +24,7 @@ files_type(swapfile_t)
 
 # ipc_lock is for losetup
 allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
-allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_file_perms;
 allow fsadm_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 3fa5e6bf..8eba00e9 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -258,6 +258,7 @@ domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_wide_inherit_fd(initrc_t)
+domain_exec_all_entry_files(initrc_t)
 # for lsof which is used by alsa shutdown:
 domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 26aa3866..447829e5 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -33,8 +33,8 @@ role system_r types sulogin_t;
 # Local login local policy
 #
 
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_file_perms;
@@ -216,7 +216,7 @@ optional_policy(`locallogin.te',`
 # Sulogin local policy
 #
 
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_file_perms;
 allow sulogin_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index dc5dee0c..ee7a5ad4 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -51,7 +51,7 @@ files_type(var_log_t)
 
 allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process setsched;
+allow auditd_t self:process { signal_perms setsched };
 allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
 
 allow auditd_t var_log_t:dir search;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index c2367e17..5e0db524 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -174,7 +174,7 @@ userdom_use_all_user_fd(load_policy_t)
 
 allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
 
-allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
 allow newrole_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 4086c6a4..669ebee3 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -217,7 +217,7 @@ dontaudit dhcpc_t domain:dir getattr;
 # Ifconfig local policy
 #
 
-allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:capability net_admin;
 dontaudit ifconfig_t self:capability sys_module;
 
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index d4c20386..12771948 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -35,7 +35,7 @@ files_pid_file(udev_var_run_t)
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
-allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index bd1a4671..3c42fed1 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -60,7 +60,7 @@ template(`base_user_template',`
 
 	allow $1_t self:capability { setgid chown fowner };
 	dontaudit $1_t self:capability { sys_nice fsetid };
-	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_t self:process { ptrace setfscreate };
 	allow $1_t self:fd use;
 	allow $1_t self:fifo_file rw_file_perms;