work on users

refpolicy/policy/modules/kernel/filesystem.if

@@ -2365,6 +2365,23 @@ interface(`fs_relabelfrom_all_fs',`
 	allow $1 filesystem_type:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all directories
+##	with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_getattr_all_dirs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search all directories with a filesystem type.
@@ -2376,10 +2393,9 @@ interface(`fs_relabelfrom_all_fs',`
 interface(`fs_search_all',`
 	gen_require(`
 		attribute filesystem_type;
-		class dir { getattr search };
 	')
 
-	allow $1 filesystem_type:dir { getattr search };
+	allow $1 filesystem_type:dir search_dir_perms;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/kernel.if

@@ -1494,12 +1494,27 @@ interface(`kernel_sigchld_unlabeled',`
 interface(`kernel_list_unlabeled',`
 	gen_require(`
 		type unlabeled_t;
-		class dir r_dir_perms;
 	')
 
 	allow $1 unlabeled_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list unlabeled directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_dontaudit_list_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write unlabeled directories.
@@ -1511,7 +1526,6 @@ interface(`kernel_list_unlabeled',`
 interface(`kernel_rw_unlabeled_dir',`
 	gen_require(`
 		type unlabeled_t;
-		class dir rw_dir_perms;
 	')
 
 	allow $1 unlabeled_t:dir rw_dir_perms;
@@ -1551,6 +1565,57 @@ interface(`kernel_dontaudit_read_unlabeled_file',`
 	dontaudit $1 unlabeled_t:file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of unlabeled named pipes.
+## </summary>
+## <param name="domain">
+##	The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of unlabeled named sockets.
+## </summary>
+## <param name="domain">
+##	The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get attributes for
@@ -1563,7 +1628,6 @@ interface(`kernel_dontaudit_read_unlabeled_file',`
 interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
 	gen_require(`
 		type unlabeled_t;
-		class blk_file getattr;
 	')
 
 	dontaudit $1 unlabeled_t:blk_file getattr;
@@ -1580,12 +1644,28 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
 interface(`kernel_use_unlabeled_blk_dev',`
 	gen_require(`
 		type unlabeled_t;
-		class blk_file rw_file_perms;
 	')
 
 	allow $1 unlabeled_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts by caller to get attributes for
+##	unlabeled character devices.
+## </summary>
+## <param name="domain">
+##	The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_chr_dev',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to relabel unlabeled objects.

refpolicy/policy/modules/services/cron.if

@@ -104,6 +104,7 @@ template(`cron_per_userdomain_template',`
 	domain_exec_all_entry_files($1_crond_t)
 	# quiet other ps operations
 	domain_dontaudit_read_all_domains_state($1_crond_t)
+	domain_dontaudit_getattr_all_domains($1_crond_t)
 
 	files_read_usr_files($1_crond_t)
 	files_exec_etc_files($1_crond_t)

refpolicy/policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron, 1.0.1)
+policy_module(cron, 1.0.2)
 
 gen_require(`
 	class passwd rootok;

refpolicy/policy/modules/services/hal.if

@@ -71,3 +71,22 @@ interface(`hal_dbus_send',`
 
 	allow $1 hald_t:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	hal over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hal_dbus_chat',`
+	gen_require(`
+		type hald_t;
+		class dbus send_msg;
+	')
+
+	allow $1 hald_t:dbus send_msg;
+	allow hald_t $1:dbus send_msg;
+')

refpolicy/policy/modules/services/inetd.if

@@ -216,9 +216,24 @@ interface(`inetd_domtrans_child',`
 interface(`inetd_udp_sendto',`
 	gen_require(`
 		type inetd_t;
-		class udp_socket { sendto recvfrom };
 	')
 
 	allow $1 inetd_t:udp_socket sendto;
 	allow inetd_t $1:udp_socket recvfrom;
 ')
+
+########################################
+## <summary>
+##	Read and write inetd TCP sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`inetd_rw_tcp_socket',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')

refpolicy/policy/modules/services/radius.te

@@ -1,5 +1,5 @@
 
-policy_module(radius,1.0)
+policy_module(radius,1.0.1)
 
 ########################################
 #

refpolicy/policy/modules/system/authlogin.if

@@ -610,6 +610,25 @@ interface(`auth_domtrans_pam_console',`
 	allow pam_console_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Search the contents of the
+##	pam_console data directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`auth_search_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_var($1)
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir search_dir_perms;
+')
+
 #######################################
 #
 # auth_list_pam_console_data(domain)
@@ -617,7 +636,6 @@ interface(`auth_domtrans_pam_console',`
 interface(`auth_list_pam_console_data',`
 	gen_require(`
 		type pam_var_console_t;
-		class dir r_dir_perms;
 	')
 
 	files_search_var($1)

refpolicy/policy/modules/system/domain.if

@@ -528,6 +528,22 @@ interface(`domain_getattr_all_domains',`
 	allow $1 domain:process getattr;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of all confined domains.
@@ -648,15 +664,15 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
 interface(`domain_dontaudit_read_all_domains_state',`
 	gen_require(`
 		attribute domain;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-		class file r_file_perms;
 	')
 
 	dontaudit $1 domain:dir r_dir_perms;
 	dontaudit $1 domain:lnk_file r_file_perms;
 	dontaudit $1 domain:file r_file_perms;
-	dontaudit $1 domain:process getattr;
+
+	# cjp: these should be removed:
+	dontaudit $1 domain:sock_file r_file_perms;
+	dontaudit $1 domain:fifo_file r_file_perms;
 ')
 
 ########################################

refpolicy/policy/modules/system/hotplug.te

@@ -1,5 +1,5 @@
 
-policy_module(hotplug, 1.0)
+policy_module(hotplug,1.0.1)
 
 ########################################
 #
@@ -87,6 +87,7 @@ corecmd_exec_ls(hotplug_t)
 domain_use_wide_inherit_fd(hotplug_t)
 # for ps
 domain_dontaudit_read_all_domains_state(hotplug_t)
+domain_dontaudit_getattr_all_domains(hotplug_t)
 
 files_read_etc_files(hotplug_t)
 files_manage_etc_runtime_files(hotplug_t)

refpolicy/policy/modules/system/userdomain.if

@@ -142,7 +142,13 @@ template(`base_user_template',`
 	per_userdomain_templates($1,$1_t,$1_r)
 
 	kernel_read_kernel_sysctl($1_t)
-	selinux_get_fs_mount($1_t)
+	kernel_dontaudit_list_unlabeled($1_t)
+	kernel_dontaudit_getattr_unlabeled_file($1_t)
+	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+	kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+	kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+	kernel_dontaudit_getattr_unlabeled_blk_dev($1_t)
+	kernel_dontaudit_getattr_unlabeled_chr_dev($1_t)
 	# Very permissive allowing every domain to see every type:
 	kernel_get_sysvipc_info($1_t)
 	# Find CDROM devices:
@@ -180,6 +186,7 @@ template(`base_user_template',`
 
 	fs_get_all_fs_quotas($1_t)
 	fs_getattr_all_fs($1_t)
+	fs_getattr_all_dirs($1_t)
 	fs_search_auto_mountpoints($1_t)
 
 	# cjp: some of this probably can be removed
@@ -195,6 +202,7 @@ template(`base_user_template',`
 
 	auth_read_login_records($1_t)
 	auth_dontaudit_write_login_records($1_t)
+	auth_search_pam_console_data($1_t)
 	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 
@@ -207,6 +215,7 @@ template(`base_user_template',`
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
 	domain_dontaudit_read_all_domains_state($1_t)
+	domain_dontaudit_getattr_all_domains($1_t)
 	domain_dontaudit_getsession_all_domains($1_t)
 
 	files_exec_etc_files($1_t)
@@ -304,6 +313,11 @@ template(`base_user_template',`
 		term_getattr_all_user_ttys($1_t)
 	')
 
+	optional_policy(`apm',`
+		# Allow graphical boot to check battery lifespan
+		apm_stream_connect($1_t)
+	')
+
 	optional_policy(`canna',`
 		canna_stream_connect($1_t)
 	')
@@ -311,6 +325,10 @@ template(`base_user_template',`
 	optional_policy(`dbus',`
 		dbus_system_bus_client_template($1,$1_t)
 
+		optional_policy(`hal',`
+			hal_dbus_chat($1_t)
+		')
+
 		optional_policy(`networkmanager',`
 			networkmanager_dbus_chat($1_t)
 		')
@@ -332,6 +350,9 @@ template(`base_user_template',`
 
 	optional_policy(`inetd',`
 		inetd_tcp_connect($1_t)
+		inetd_udp_sendto($1_t)
+		inetd_use_fd($1_t)
+		inetd_rw_tcp_socket($1_t)
 	')
 
 	optional_policy(`inn',`
@@ -345,7 +366,7 @@ template(`base_user_template',`
 	')
 
 	optional_policy(`mysql',`
-		ifdef(`targeted_policy',`',`
+		ifdef(`strict_policy',`
 			tunable_policy(`allow_user_mysql_connect',`
 				mysql_stream_connect($1_t)
 			')
@@ -361,12 +382,17 @@ template(`base_user_template',`
 		pcmcia_read_pid($1_t)
 	')
 
+	optional_policy(`portmap',`
+		portmap_tcp_connect($1_t)
+	')
+
 	optional_policy(`quota',`
 		quota_dontaudit_getattr_db($1_t)
 	')
 
 	optional_policy(`rpc',`
 		rpc_dontaudit_getattr_exports($1_t)
+		rpc_manage_nfs_rw_content($1_t)
 	')
 
 	optional_policy(`rpm',`
@@ -374,6 +400,10 @@ template(`base_user_template',`
 		files_search_var_lib($1_t)
 	')
 
+	optional_policy(`samba',`
+		samba_connect_winbind($1_t)
+	')
+
 	optional_policy(`squid',`
 		squid_use($1_t)
 	')
@@ -384,9 +414,6 @@ template(`base_user_template',`
 	')
 
 	ifdef(`TODO',`
-
-	can_winbind($1_t)
-
 	#
 	# Cups daemon running as user tries to write /etc/printcap
 	#
@@ -395,13 +422,6 @@ template(`base_user_template',`
 	# Check to see if cdrom is mounted
 	allow $1_t mnt_t:dir { getattr search };
 
-	#
-	# Added to allow reading of cdrom
-	#
-	allow $1_t rpc_pipefs_t:dir getattr;
-	allow $1_t nfsd_fs_t:dir getattr;
-	allow $1_t binfmt_misc_fs_t:dir getattr;
-
 	# /initrd is left mounted, various programs try to look at it
 	dontaudit $1_t ramfs_t:dir getattr;
 
@@ -412,12 +432,7 @@ template(`base_user_template',`
 
 	r_dir_file($1_t, usercanread)
 
-	allow $1_t fs_type:dir getattr;
-
 	# old browser_domain():
-	dontaudit $1 unlabeled_t:dir_file_class_set getattr;
-	dontaudit $1 unlabeled_t:dir search;
-	dontaudit $1 unlabeled_t:dir read;
 	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
 	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
 	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
@@ -426,32 +441,6 @@ template(`base_user_template',`
 
 	can_resmgrd_connect($1_t)
 
-	# Grant permissions to access the system DBus
-	ifdef(`dbusd.te', `
-		ifdef(`hald.te', `
-			allow $1_t hald_t:dbus send_msg;
-			allow hald_t $1_t:dbus send_msg;
-		')
-	')
-
-	# Gnome pannel binds to the following
-	ifdef(`cups.te', `
-		allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
-	')
-
-	ifdef(`inetd.te', `
-		# Connect to inetd.
-		inetd_tcp_connect($1_t)
-		can_udp_send($1_t, inetd_t)
-		can_udp_send(inetd_t, $1_t)
-		# Inherit and use sockets from inetd
-		inetd_use_fd($1_t)
-		allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-	')
-
-	# Connect to portmap.
-	ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
-
 	# Use X
 	x_client_domain($1, $1)
 
@@ -472,10 +461,7 @@ template(`base_user_template',`
 	')
 
 	# start read_fonts()
-
-	# cjp: this macro is unconditional, though
-	# its in a conditional file.
-
+	# cjp: these types come in from fontconfig
 	# Manipulate the global font cache
 	create_dir_file($1, $1_fonts_cache_t)
 
@@ -488,23 +474,6 @@ template(`base_user_template',`
 	allow $1 $2_gnome_settings_t:dir { getattr search };
 	')
 	# end read_fonts()
-
-	ifdef(`rpcd.te', `
-		create_dir_file($1_t, nfsd_rw_t)
-	')
-
-	#
-	# Allow graphical boot to check battery lifespan
-	#
-	ifdef(`apmd.te', `
-		allow $1_t apmd_t:unix_stream_socket connectto;
-		allow $1_t apmd_var_run_t:sock_file write;
-	')
-
-	ifdef(`pamconsole.te', `
-		allow $1_t pam_var_console_t:dir search;
-	')
-
 	') dnl endif TODO
 
 ')

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.0.3)
+policy_module(userdomain,1.0.4)
 
 ########################################
 #