From b03f960ecea55e06bc883c34f23e51f0be270f04 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 27 Sep 2005 20:17:50 +0000
Subject: [PATCH] add disable_trans support

---
 refpolicy/Changelog                     |  1 +
 refpolicy/policy/modules/system/init.if | 36 +++++++++++++++++--------
 2 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 4855de5e..ab495be3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add disable_*_trans bool support for targeted policy.
 - Add MLS module to handle MLS constraint exceptions,
   such as reading up and writing down.
 - Fix errors uncovered by sediff.
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 19571493..60bf2344 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -57,9 +57,6 @@ interface(`init_daemon_domain',`
 		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
 		role system_r;
-		class fifo_file rw_file_perms;
-		class fd use;
-		class process { noatsecure siginh rlimitinh sigchld };
 	')
 
 	domain_type($1)
@@ -67,14 +64,6 @@ interface(`init_daemon_domain',`
 
 	role system_r types $1;
 
-	domain_auto_trans(initrc_t,$2,$1)
-
-	allow initrc_t $1:fd use;
-	allow initrc_t $1:process { noatsecure siginh rlimitinh };
-	allow $1 initrc_t:fd use;
-	allow $1 initrc_t:fifo_file rw_file_perms;
-	allow $1 initrc_t:process sigchld;
-
 	ifdef(`direct_sysadm_daemon',`
 		domain_auto_trans(direct_run_init,$2,$1)
 
@@ -95,6 +84,31 @@ interface(`init_daemon_domain',`
 		files_dontaudit_read_root_file($1)
 	')
 
+	ifdef(`targeted_policy',`
+		# this regex is a hack, since it assumes there is a
+		# _t at the end of the domain type.  If there is no _t
+		# at the end of the type, it returns empty!
+		bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
+		if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
+			domain_auto_trans(initrc_t,$2,$1)
+			allow initrc_t $1:fd use;
+			allow initrc_t $1:process { noatsecure siginh rlimitinh };
+			allow $1 initrc_t:fd use;
+			allow $1 initrc_t:fifo_file rw_file_perms;
+			allow $1 initrc_t:process sigchld;
+		} else {
+			can_exec(initrc_t,$2)
+			can_exec(direct_run_init,$2)
+		}
+	',`
+		domain_auto_trans(initrc_t,$2,$1)
+		allow initrc_t $1:fd use;
+		allow initrc_t $1:process { noatsecure siginh rlimitinh };
+		allow $1 initrc_t:fd use;
+		allow $1 initrc_t:fifo_file rw_file_perms;
+		allow $1 initrc_t:process sigchld;
+	')
+
 	optional_policy(`nscd.te',`
 		nscd_use_socket($1)
 	')