clean up usercanread

refpolicy/policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.5)
+policy_module(usermanage,1.3.6)
 
 ########################################
 #
@@ -25,7 +25,7 @@ type crack_exec_t;
 domain_entry_file(crack_t,crack_exec_t)
 
 type crack_db_t;
-files_config_file(crack_db_t)
+files_type(crack_db_t)
 
 type crack_tmp_t;
 files_tmp_file(crack_tmp_t)

refpolicy/policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.9)
+policy_module(filesystem,1.3.10)
 
 ########################################
 #
@@ -159,7 +159,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
-files_config_file(removable_t)
+files_type(removable_t)
 
 #
 # nfs_t is the default type for NFS file systems

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.3.8)
+policy_module(cups,1.3.9)
 
 ########################################
 #
@@ -131,8 +131,10 @@ kernel_tcp_recvfrom(cupsd_t)
 corenet_non_ipsec_sendrecv(cupsd_t)
 corenet_tcp_sendrecv_all_if(cupsd_t)
 corenet_udp_sendrecv_all_if(cupsd_t)
+corenet_raw_sendrecv_all_if(cupsd_t)
 corenet_tcp_sendrecv_all_nodes(cupsd_t)
 corenet_udp_sendrecv_all_nodes(cupsd_t)
+corenet_raw_sendrecv_all_nodes(cupsd_t)
 corenet_tcp_sendrecv_all_ports(cupsd_t)
 corenet_udp_sendrecv_all_ports(cupsd_t)
 corenet_tcp_bind_all_nodes(cupsd_t)
@@ -153,6 +155,8 @@ dev_read_usbfs(cupsd_t)
 
 fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
+# from old usercanread attrib:
+fs_read_removable_files(cupsd_t)
 
 term_dontaudit_use_console(cupsd_t)
 term_write_unallocated_ttys(cupsd_t)
@@ -250,10 +254,6 @@ optional_policy(`
 	inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
 ')
 
-optional_policy(`
-	mount_send_nfs_client_request(cupsd_t)
-')
-
 optional_policy(`
 	nscd_socket_use(cupsd_t)
 ')
@@ -262,9 +262,14 @@ optional_policy(`
 	portmap_udp_chat(cupsd_t)
 ')
 
+optional_policy(`
+	# from old usercanread attrib:
+	rpc_read_nfs_content(cupsd_t)
+	rpc_read_nfs_state_data(cupsd_t)
+')
+
 optional_policy(`
 	samba_rw_var_files(cupsd_t)
-	# cjp: rw_dir_perms was here, but doesnt make sense
 ')
 
 optional_policy(`
@@ -275,6 +280,16 @@ optional_policy(`
 	udev_read_db(cupsd_t)
 ')
 
+optional_policy(`
+	# from old usercanread attrib:
+	usermanage_read_crack_db(cupsd_t)
+')
+
+optional_policy(`
+	# from old usercanread attrib:
+	xserver_read_xkb_libs(cupsd_t)
+')
+
 ifdef(`TODO',`
 allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
@@ -308,11 +323,6 @@ allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
 allow cupsd_config_t cupsd_t:dir { search getattr read };
 allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr };
 allow cupsd_config_t cupsd_t:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit cupsd_config_t cupsd_t:process ptrace;
 
 allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
 allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
@@ -338,14 +348,12 @@ kernel_read_system_state(cupsd_config_t)
 kernel_read_kernel_sysctls(cupsd_config_t)
 kernel_tcp_recvfrom(cupsd_config_t)
 
-corenet_tcp_sendrecv_all_if(cupsd_config_t)
-corenet_raw_sendrecv_all_if(cupsd_config_t)
-corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
-corenet_raw_sendrecv_all_nodes(cupsd_config_t)
-corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_non_ipsec_sendrecv(cupsd_config_t)
-corenet_tcp_bind_all_nodes(cupsd_config_t)
+corenet_tcp_sendrecv_all_if(cupsd_config_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
+corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
+corenet_sendrecv_all_client_packets(cupsd_config_t)
 
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
@@ -493,15 +501,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
 kernel_read_network_state(cupsd_lpd_t)
 
+corenet_non_ipsec_sendrecv(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
 corenet_udp_sendrecv_all_if(cupsd_lpd_t)
-corenet_raw_sendrecv_all_if(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
 corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
-corenet_raw_sendrecv_all_nodes(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
 corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
 corenet_tcp_bind_all_nodes(cupsd_lpd_t)
 corenet_udp_bind_all_nodes(cupsd_lpd_t)
 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -546,10 +552,9 @@ allow hplip_t self:fifo_file rw_file_perms;
 allow hplip_t self:process signal_perms;
 allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
 allow hplip_t self:tcp_socket create_stream_socket_perms;
 allow hplip_t self:udp_socket create_socket_perms;
-allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
-# cjp: raw?
 allow hplip_t self:rawip_socket create_socket_perms;
 
 allow hplip_t cupsd_etc_t:dir search;
@@ -568,6 +573,7 @@ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 
+corenet_non_ipsec_sendrecv(hplip_t)
 corenet_tcp_sendrecv_all_if(hplip_t)
 corenet_udp_sendrecv_all_if(hplip_t)
 corenet_raw_sendrecv_all_if(hplip_t)
@@ -576,7 +582,6 @@ corenet_udp_sendrecv_all_nodes(hplip_t)
 corenet_raw_sendrecv_all_nodes(hplip_t)
 corenet_tcp_sendrecv_all_ports(hplip_t)
 corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_non_ipsec_sendrecv(hplip_t)
 corenet_tcp_bind_all_nodes(hplip_t)
 corenet_udp_bind_all_nodes(hplip_t)
 corenet_tcp_bind_hplip_port(hplip_t)
@@ -641,8 +646,6 @@ optional_policy(`
 	udev_read_db(hplip_t)
 ')
 
-allow hplip_t devpts_t:chr_file { getattr ioctl };
-
 ########################################
 #
 # PTAL local policy
@@ -675,12 +678,10 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
 
-corenet_tcp_sendrecv_all_if(ptal_t)
-corenet_raw_sendrecv_all_if(ptal_t)
-corenet_tcp_sendrecv_all_nodes(ptal_t)
-corenet_raw_sendrecv_all_nodes(ptal_t)
-corenet_tcp_sendrecv_all_ports(ptal_t)
 corenet_non_ipsec_sendrecv(ptal_t)
+corenet_tcp_sendrecv_all_if(ptal_t)
+corenet_tcp_sendrecv_all_nodes(ptal_t)
+corenet_tcp_sendrecv_all_ports(ptal_t)
 corenet_tcp_bind_all_nodes(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 

refpolicy/policy/modules/services/rpc.if

@@ -217,6 +217,26 @@ interface(`rpc_domtrans_nfsd',`
 	allow nfsd_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##      Read NFS exported content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_read_nfs_content',`
+	gen_require(`
+		type nfsd_ro_t, nfsd_rw_t;	
+	')
+
+	allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+	allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+	allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##      Allow domain to create read and write NFS directories.
@@ -313,3 +333,23 @@ interface(`rpc_search_nfs_state_data',`
 	files_search_var_lib($1)
 	allow $1 var_lib_nfs_t:dir search;
 ')
+
+########################################
+## <summary>
+##	Read NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_read_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 var_lib_nfs_t:dir search_dir_perms;
+	allow $1 var_lib_nfs_t:file read_file_perms;
+')

refpolicy/policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.7)
+policy_module(rpc,1.2.8)
 
 ########################################
 #
@@ -24,13 +24,12 @@ rpc_domain_template(rpcd)
 rpc_domain_template(nfsd)
 
 type nfsd_rw_t;
-files_config_file(nfsd_rw_t)
+files_type(nfsd_rw_t)
 
 type nfsd_ro_t;
-files_config_file(nfsd_ro_t)
+files_type(nfsd_ro_t)
 
 type var_lib_nfs_t;
-files_config_file(var_lib_nfs_t)
 files_mountpoint(var_lib_nfs_t)
 
 ########################################

refpolicy/policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.6)
+policy_module(samba,1.2.7)
 
 #################################
 #
@@ -33,7 +33,7 @@ type samba_secrets_t;
 files_type(samba_secrets_t)
 
 type samba_share_t; # customizable
-files_config_file(samba_share_t)
+files_type(samba_share_t)
 
 type samba_var_t;
 files_type(samba_var_t)

refpolicy/policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.8)
+policy_module(xserver,1.1.9)
 
 ########################################
 #
@@ -54,7 +54,7 @@ files_tmpfs_file(xdm_tmpfs_t)
 
 # type for /var/lib/xkb
 type xkb_var_lib_t;
-files_config_file(xkb_var_lib_t)
+files_type(xkb_var_lib_t)
 
 # Type for the executable used to start the X server, e.g. Xwrapper.
 type xserver_exec_t;

refpolicy/policy/modules/system/miscfiles.te

@@ -1,5 +1,5 @@
 
-policy_module(miscfiles,1.0.1)
+policy_module(miscfiles,1.0.2)
 
 ########################################
 #
@@ -17,7 +17,7 @@ files_type(cert_t)
 # files in /usr
 #
 type fonts_t;
-files_config_file(fonts_t)
+files_type(fonts_t)
 
 #
 # type for /usr/share/hwdata