more cleanup in system

refpolicy/policy/modules/kernel/bootloader.te

@@ -142,6 +142,7 @@ miscfiles_read_localization(bootloader_t)
 
 seutil_read_binary_pol(bootloader_t)
 seutil_read_loadpol(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
 
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
@@ -197,12 +198,13 @@ optional_policy(`rpm.te',`
 	rpm_rw_pipe(bootloader_t)
 ')
 
+optional_policy(`userdomain.te',`
+	userdom_dontaudit_search_staff_home_dir(bootloader_t)
+	userdom_dontaudit_search_sysadm_home_dir(bootloader_t)
+')
+
 ifdef(`TODO',`
-
-dontaudit bootloader_t selinux_config_t:dir search;
-dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
 dontaudit bootloader_t devpts_t:dir create_dir_perms;
-
 ifdef(`distro_debian', `
 	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
 	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;

refpolicy/policy/modules/kernel/filesystem.if

@@ -1489,6 +1489,41 @@ interface(`fs_search_tmpfs',`
 	allow $1 tmpfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	List the contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_list_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 tmpfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the
+##	contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_list_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+		class dir r_dir_perms;
+	')
+
+	dontaudit $1 tmpfs_t:dir r_dir_perms;
+')
+
 ########################################
 #
 # fs_create_tmpfs_data(domain,derivedtype,[class])

refpolicy/policy/modules/kernel/kernel.if

@@ -172,6 +172,40 @@ interface(`kernel_sendto_unix_dgram_socket',`
 	allow $1 kernel_t:unix_dgram_socket sendto;
 ')
 
+########################################
+## <summary>
+##	Receive messages from kernel TCP sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_tcp_recvfrom',`
+	gen_require(`
+		type kernel_t;
+		class tcp_socket recvfrom;
+	')
+
+	allow $1 kernel_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive messages from kernel UDP sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_udp_recvfrom',`
+	gen_require(`
+		type kernel_t;
+		class udp_socket recvfrom;
+	')
+
+	allow $1 kernel_t:udp_socket recvfrom;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to load kernel modules

refpolicy/policy/modules/kernel/terminal.if

@@ -444,6 +444,24 @@ interface(`term_getattr_unallocated_ttys',`
 	allow $1 tty_device_t:chr_file getattr;
 ')
 
+########################################
+## <desc>
+##	Do not audit attempts to get the attributes
+##	of all unallocated tty device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+		class chr_file getattr;
+	')
+
+	dontaudit $1 tty_device_t:chr_file getattr;
+')
+
 ########################################
 ## <desc>
 ##	Set the attributes of all unallocated

refpolicy/policy/modules/system/domain.if

@@ -386,10 +386,28 @@ interface(`domain_dontaudit_getattr_all_sockets',`
 ')
 
 ########################################
-## <desc>
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+	gen_require(`
+		attribute domain;
+		class tcp_socket getattr;
+	')
+
+	dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of all domains UDP sockets.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -404,21 +422,39 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ')
 
 ########################################
-## <desc>
+## <summary>
-##	Do not audit attempts to get the attributes
+##	Do not audit attempts to read or write
-##	of all domains TCP sockets.
+##	all domains UDP sockets.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+interface(`domain_dontaudit_rw_all_udp_sockets',`
 	gen_require(`
 		attribute domain;
-		class tcp_socket getattr;
+		class udp_socket { read write };
 	')
 
-	dontaudit $1 domain:tcp_socket getattr;
+	dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all domains key sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+	gen_require(`
+		attribute domain;
+		class key_socket { read write };
+	')
+
+	dontaudit $1 domain:key_socket { read write };
 ')
 
 ########################################

refpolicy/policy/modules/system/init.te

@@ -371,6 +371,11 @@ optional_policy(`hotplug.te',`
 	modutils_read_mods_deps(initrc_t)
 ')
 
+optional_policy(`ipsec.te',`
+	ipsec_read_config(initrc_t)
+	ipsec_manage_pid(initrc_t)
+')
+
 optional_policy(`kerberos.te',`
 	kerberos_use(initrc_t)
 ')
@@ -391,6 +396,10 @@ optional_policy(`nis.te',`
 	nis_list_var_yp(initrc_t)
 ')
 
+optional_policy(`raid.te',`
+	raid_manage_mdadm_pid(initrc_t)
+')
+
 optional_policy(`rhgb.te',`
 	corecmd_shell_entry_type(initrc_t)
 ')

refpolicy/policy/modules/system/ipsec.if

@@ -23,3 +23,91 @@ interface(`ipsec_domtrans',`
 	allow ipsec_t $1:fifo_file rw_file_perms;
 	allow ipsec_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Connect to an IPSEC unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_connectto_unix_stream_socket',`
+	gen_require(`
+		type ipsec_t;
+		class unix_stream_socket connectto;
+	')
+
+	allow $1 ipsec_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an IPSEC key socket.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_getattr_key_socket',`
+	gen_require(`
+		type ipsec_t;
+		class key_socket getattr;
+	')
+
+	allow $1 ipsec_t:key_socket getattr;
+')
+
+########################################
+## <summary>
+##	Execute the IPSEC management program in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_exec_mgmt',`
+	gen_require(`
+		type ipsec_exec_t;
+	')
+
+	can_exec($1,ipsec_exec_t)
+')
+
+########################################
+## <summary>
+##	Read the IPSEC configuration
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_read_config',`
+	gen_require(`
+		type ipsec_conf_file_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 ipsec_conf_file_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the IPSEC pid files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_manage_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	files_search_pids($1)
+	allow $1 ipsec_var_run_t:dir rw_dir_perms;
+	allow $1 ipsec_var_run_t:file create_file_perms;
+')

refpolicy/policy/modules/system/ipsec.te

@@ -21,7 +21,7 @@ type ipsec_key_file_t;
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)
 
-type ipsec_mgmt_t; #, privlog, admin, privmodule, nscd_client_domain;
+type ipsec_mgmt_t; # admin, privmodule;
 type ipsec_mgmt_exec_t;
 init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
 role system_r types ipsec_mgmt_t;
@@ -204,8 +204,10 @@ dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
 
 fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 
 # the default updown script wants to run route
 corecmd_exec_sbin(ipsec_mgmt_t)
@@ -214,6 +216,12 @@ corecmd_exec_sbin(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 
 domain_use_wide_inherit_fd(ipsec_mgmt_t)
+# denials when ps tries to search /proc. Do not audit these denials.
+domain_dontaudit_list_all_domains_proc(ipsec_mgmt_t)
+# suppress audit messages about unnecessary socket access
+# cjp: this seems excessive
+domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
@@ -243,32 +251,13 @@ optional_policy(`consoletype.te',`
 	consoletype_exec(ipsec_mgmt_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(ipsec_mgmt_t)
+')
+
 ifdef(`TODO',`
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
-
-# suppress audit messages about unnecessary socket access
-dontaudit ipsec_mgmt_t domain:key_socket { read write };
-dontaudit ipsec_mgmt_t domain:udp_socket { read write };
-
-# allow pluto to search the root directory (not sure why, but mostly harmless)
-# Are these all really necessary?
-dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
-
 # ideally it would not need this.  It wants to write to /root/.rnd
 file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
 
-allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
-
-# allow system administrator to use the ipsec script to look
-# at things (e.g., ipsec auto --status)
-# probably should create an ipsec_admin role for this kind of thing
-can_exec(sysadm_t, ipsec_mgmt_exec_t)
-allow sysadm_t ipsec_t:unix_stream_socket connectto;
-# for lsof
-allow sysadm_t ipsec_t:key_socket getattr;
-
-rw_dir_create_file(initrc_t, ipsec_var_run_t)
-allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
 ') dnl end TODO

refpolicy/policy/modules/system/logging.te

@@ -239,6 +239,11 @@ files_dontaudit_search_isid_type_dir(syslogd_t)
 allow syslogd_t self:capability net_admin;
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 
+ifdef(`distro_suse', `
+	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+	files_create_var_lib(syslogd_t,devlog_t,sock_file)
+')
+
 ifdef(`klogd.te', `', `
 	# Allow access to /proc/kmsg for syslog-ng
 	kernel_read_messages(syslogd_t)
@@ -274,11 +279,6 @@ optional_policy(`rhgb.te', `
 	rhgb_domain(syslogd_t)
 ')
 
-ifdef(`distro_suse', `
-	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-	file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
-')
-
 # log to the xconsole
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
 

refpolicy/policy/modules/system/miscfiles.te

@@ -9,8 +9,8 @@ policy_module(miscfiles,1.0)
 #
 # catman_t is the type for /var/catman.
 #
-type catman_t; # , tmpfile;
+type catman_t;
-files_type(catman_t)
+files_tmp_file(catman_t)
 
 #
 # cert_t is the type of files in the system certs directories.
@@ -46,5 +46,5 @@ files_type(test_file_t)
 #
 # for /var/{spool,lib}/texmf index files
 #
-type tetex_data_t; # , tmpfile;
+type tetex_data_t;
-files_type(tetex_data_t)
+files_tmp_file(tetex_data_t)

refpolicy/policy/modules/system/raid.if

@@ -24,3 +24,31 @@ interface(`raid_domtrans_mdadm',`
 	allow mdadm_t $1:fifo_file rw_file_perms;
 	allow mdadm_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the mdadm pid files.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete the mdadm pid files.
+##	</p>
+##	<p>
+##	Added for use in the init module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`raid_manage_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+		class file create_file_perms;
+	')
+
+	# FIXME: maybe should have a type_transition.  not
+	# clear what this is doing, from the original
+	# mdadm policy
+	allow $1 mdadm_var_run_t:file create_file_perms;
+')

refpolicy/policy/modules/system/raid.te

@@ -1,6 +1,9 @@
-#DESC mdadm - Linux RAID tool
+
+policy_module(mdadm,1.0)
+
+########################################
 #
-# Author: Colin Walters <walters@redhat.com>
+# Declarations
 #
 
 type mdadm_t;
@@ -11,6 +14,11 @@ role system_r types mdadm_t;
 type mdadm_var_run_t;
 files_pid_file(mdadm_var_run_t)
 
+########################################
+#
+# Local policy
+#
+
 allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
 dontaudit mdadm_t self:capability sys_tty_config;
 allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
@@ -28,6 +36,7 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 
 fs_search_auto_mountpoints(mdadm_t)
+fs_dontaudit_list_tmpfs(mdadm_t)
 
 # RAID block device access
 storage_manage_fixed_disk(mdadm_t)
@@ -77,13 +86,8 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-allow initrc_t mdadm_var_run_t:file create_file_perms;
-
 # Ignore attempts to read every device file
-dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
+dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
-
-# Other random ignores
-dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
 
 allow mdadm_t var_t:dir getattr;
 ') dnl TODO

refpolicy/policy/modules/system/unconfined.if

@@ -98,6 +98,31 @@ interface(`unconfined_domtrans',`
 	allow unconfined_t $1:process sigchld;
 ')
 
+########################################
+## <desc>
+##	Execute specified programs in the unconfined domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the unconfined domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the unconfined domain to use.
+## </param>
+#
+interface(`unconfined_run',`
+	gen_require(`
+		type unconfined_t;
+		class chr_file rw_term_perms;
+	')
+
+	unconfined_domtrans($1)
+	role $2 types unconfined_t;
+	allow unconfined_t $3:chr_file rw_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Transition to the unconfined domain by executing a shell.

refpolicy/policy/modules/system/unconfined.te

@@ -20,9 +20,6 @@ unconfined_domain_template(unconfined_t)
 
 logging_send_syslog_msg(unconfined_t)
 
-#role sysadm_r types unconfined_t;
-#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
-
 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
 

refpolicy/policy/modules/system/userdomain.te

@@ -122,6 +122,16 @@ ifdef(`targeted_policy',`
 		hostname_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`ipsec.te',`
+		# allow system administrator to use the ipsec script to look
+		# at things (e.g., ipsec auto --status)
+		# probably should create an ipsec_admin role for this kind of thing
+		ipsec_exec_mgmt(sysadm_t)
+		ipsec_connectto_unix_stream_socket(sysadm_t)
+		# for lsof
+		ipsec_getattr_key_socket(sysadm_t)
+	')
+
 	optional_policy(`iptables.te',`
 		iptables_run(sysadm_t,sysadm_r,admin_terminal)
 	')
@@ -176,6 +186,10 @@ ifdef(`targeted_policy',`
 		sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`unconfined.te',`
+		unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`usermanage.te',`
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)