add disable_trans support

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Add disable_*_trans bool support for targeted policy.
 - Add MLS module to handle MLS constraint exceptions,
   such as reading up and writing down.
 - Fix errors uncovered by sediff.

refpolicy/policy/modules/system/init.if

@@ -57,9 +57,6 @@ interface(`init_daemon_domain',`
 		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
 		role system_r;
-		class fifo_file rw_file_perms;
-		class fd use;
-		class process { noatsecure siginh rlimitinh sigchld };
 	')
 
 	domain_type($1)
@@ -67,14 +64,6 @@ interface(`init_daemon_domain',`
 
 	role system_r types $1;
 
-	domain_auto_trans(initrc_t,$2,$1)
-
-	allow initrc_t $1:fd use;
-	allow initrc_t $1:process { noatsecure siginh rlimitinh };
-	allow $1 initrc_t:fd use;
-	allow $1 initrc_t:fifo_file rw_file_perms;
-	allow $1 initrc_t:process sigchld;
-
 	ifdef(`direct_sysadm_daemon',`
 		domain_auto_trans(direct_run_init,$2,$1)
 
@@ -95,6 +84,31 @@ interface(`init_daemon_domain',`
 		files_dontaudit_read_root_file($1)
 	')
 
+	ifdef(`targeted_policy',`
+		# this regex is a hack, since it assumes there is a
+		# _t at the end of the domain type.  If there is no _t
+		# at the end of the type, it returns empty!
+		bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
+		if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
+			domain_auto_trans(initrc_t,$2,$1)
+			allow initrc_t $1:fd use;
+			allow initrc_t $1:process { noatsecure siginh rlimitinh };
+			allow $1 initrc_t:fd use;
+			allow $1 initrc_t:fifo_file rw_file_perms;
+			allow $1 initrc_t:process sigchld;
+		} else {
+			can_exec(initrc_t,$2)
+			can_exec(direct_run_init,$2)
+		}
+	',`
+		domain_auto_trans(initrc_t,$2,$1)
+		allow initrc_t $1:fd use;
+		allow initrc_t $1:process { noatsecure siginh rlimitinh };
+		allow $1 initrc_t:fd use;
+		allow $1 initrc_t:fifo_file rw_file_perms;
+		allow $1 initrc_t:process sigchld;
+	')
+
 	optional_policy(`nscd.te',`
 		nscd_use_socket($1)
 	')