From bf469d766928777faac4fb50be06f53457f7de93 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 19 Sep 2006 17:02:29 +0000
Subject: [PATCH] gentoo testing fixes

---
 policy/modules/kernel/corenetwork.if.in | 124 ++++++++++++++++++++++++
 policy/modules/kernel/corenetwork.if.m4 | 109 +++++++++++++++++++++
 policy/modules/kernel/corenetwork.te.in |   2 +-
 policy/modules/kernel/devices.if        |  18 ++++
 policy/modules/kernel/devices.te        |   2 +-
 policy/modules/kernel/files.if          |  63 ++++++++----
 policy/modules/kernel/files.te          |   2 +-
 policy/modules/kernel/kernel.if         |  33 +++++++
 policy/modules/kernel/kernel.te         |   2 +-
 policy/modules/services/ssh.if          |   7 +-
 policy/modules/services/ssh.te          |   2 +-
 policy/modules/system/getty.te          |  16 ++-
 policy/modules/system/init.te           |   8 +-
 policy/modules/system/modutils.te       |   3 +-
 14 files changed, 359 insertions(+), 32 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 65fbe15a..af360bcd 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -40,6 +40,25 @@ interface(`corenet_udp_send_generic_if',`
 	allow $1 netif_t:netif udp_send;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to send UDP network traffic
+##	on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	dontaudit $1 netif_t:netif udp_send;
+')
+
 ########################################
 ## <summary>
 ##	Receive UDP network traffic on generic interfaces.
@@ -58,6 +77,25 @@ interface(`corenet_udp_receive_generic_if',`
 	allow $1 netif_t:netif udp_recv;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP network
+##	traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	dontaudit $1 netif_t:netif udp_recv;
+')
+
 ########################################
 ## <summary>
 ##	Send and Receive UDP network traffic on generic interfaces.
@@ -73,6 +111,22 @@ interface(`corenet_udp_sendrecv_generic_if',`
 	corenet_udp_receive_generic_if($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and receive UDP network
+##	traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
+	corenet_dontaudit_udp_send_generic_if($1)
+	corenet_dontaudit_udp_receive_generic_if($1)
+')
+
 ########################################
 ## <summary>
 ##	Send raw IP packets on generic interfaces.
@@ -436,6 +490,25 @@ interface(`corenet_udp_send_all_nodes',`
 	allow $1 node_type:node udp_send;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send UDP network
+##	traffic on any nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	dontaudit $1 node_type:node udp_send;
+')
+
 ########################################
 ## <summary>
 ##	Receive UDP network traffic on all nodes.
@@ -454,6 +527,25 @@ interface(`corenet_udp_receive_all_nodes',`
 	allow $1 node_type:node udp_recv;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP
+##	network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	dontaudit $1 node_type:node udp_recv;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive UDP network traffic on all nodes.
@@ -469,6 +561,22 @@ interface(`corenet_udp_sendrecv_all_nodes',`
 	corenet_udp_receive_all_nodes($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and receive UDP
+##	network traffic on any nodes nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
+	corenet_dontaudit_udp_send_all_nodes($1)
+	corenet_dontaudit_udp_receive_all_nodes($1)
+')
+
 ########################################
 ## <summary>
 ##	Send raw IP packets on all nodes.
@@ -1310,6 +1418,22 @@ interface(`corenet_non_ipsec_sendrecv',`
 	kernel_sendrecv_unlabeled_association($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	messages on a non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_non_ipsec_sendrecv',`
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
 ########################################
 ## <summary>
 ##	Send generic client packets.
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 51908e23..c20c7a45 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -358,6 +358,25 @@ interface(`corenet_udp_send_$1_port',`
 	allow dollarsone $1_$2:udp_socket send_msg;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	dontaudit dollarsone $1_$2:udp_socket send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Receive UDP traffic on the $1 port.
@@ -377,6 +396,25 @@ interface(`corenet_udp_receive_$1_port',`
 	allow dollarsone $1_$2:udp_socket recv_msg;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	dontaudit dollarsone $1_$2:udp_socket recv_msg;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive UDP traffic on the $1 port.
@@ -393,6 +431,23 @@ interface(`corenet_udp_sendrecv_$1_port',`
 	corenet_udp_receive_$1_port(dollarsone)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
+	corenet_dontaudit_udp_send_$1_port(dollarsone)
+	corenet_dontaudit_udp_receive_$1_port(dollarsone)
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to the $1 port.
@@ -472,6 +527,25 @@ interface(`corenet_send_$1_packets',`
 	allow dollarsone $1_packet_t:packet send;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	dontaudit dollarsone $1_packet_t:packet send;
+')
+
 ########################################
 ## <summary>
 ##	Receive $1 packets.
@@ -491,6 +565,25 @@ interface(`corenet_receive_$1_packets',`
 	allow dollarsone $1_packet_t:packet recv;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	dontaudit dollarsone $1_packet_t:packet recv;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive $1 packets.
@@ -507,6 +600,22 @@ interface(`corenet_sendrecv_$1_packets',`
 	corenet_receive_$1_packets(dollarsone)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_$1_packets',`
+	corenet_dontaudit_send_$1_packets(dollarsone)
+	corenet_dontaudit_receive_$1_packets(dollarsone)
+')
+
 ########################################
 ## <summary>
 ##	Relabel packets to $1 the packet type.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 169e5821..65dfdd01 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.15)
+policy_module(corenetwork,1.1.16)
 
 ########################################
 #
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 85837297..918657bf 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -145,6 +145,24 @@ interface(`dev_create_generic_dirs',`
 	allow $1 device_t:dir { ra_dir_perms create };
 ')
 
+########################################
+## <summary>
+##	Delete a directory in the device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to create the directory.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir { del_entry_dir_perms rmdir };
+')
+
 ########################################
 ## <summary>
 ##	Allow full relabeling (to and from) of directories in /dev.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 6f30f635..bc5b1c09 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.21)
+policy_module(devices,1.1.22)
 
 ########################################
 #
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index c390959f..a9d46014 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3347,27 +3347,6 @@ interface(`files_usr_filetrans',`
 	type_transition $1 usr_t:$3 $2;
 ')
 
-########################################
-## <summary>
-##	Execute programs in /usr/src in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_exec_usr_src_files',`
-	gen_require(`
-		type usr_t, src_t;
-	')
-
-	allow $1 usr_t:dir search;
-	allow $1 src_t:dir r_dir_perms;
-	allow $1 src_t:lnk_file r_file_perms;
-	can_exec($1,src_t)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to search /usr/src.
@@ -3386,6 +3365,27 @@ interface(`files_dontaudit_search_src',`
 	dontaudit $1 src_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of files in /usr/src.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	allow $1 { usr_t src_t }:dir search_dir_perms;
+
+	allow $1 src_t:lnk_file { getattr read };
+	allow $1 src_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read files in /usr/src.
@@ -3406,6 +3406,27 @@ interface(`files_read_usr_src_files',`
 	allow $1 src_t:{ file lnk_file } r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	allow $1 usr_t:dir search;
+	allow $1 src_t:dir r_dir_perms;
+	allow $1 src_t:lnk_file r_file_perms;
+	can_exec($1,src_t)
+')
+
 ########################################
 ## <summary>
 ##	Install a system.map into the /boot directory.
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index dea8e5ca..81e4660c 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.16)
+policy_module(files,1.2.17)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2aa08cc7..11e08079 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2131,6 +2131,39 @@ interface(`kernel_sendrecv_unlabeled_association',`
 	allow $1 unlabeled_t:packet { send recv };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and receive messages
+##	from an	unlabeled IPSEC association.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to send and receive messages
+##	from an	unlabeled IPSEC association.  Network
+##	connections that are not protected
+##	by IPSEC have use an unlabeled
+##	assocation.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_dontaudit_non_ipsec_sendrecv() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:association { sendto recvfrom };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive unlabeled packets.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 34b4d1bd..5fe4843b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.15)
+policy_module(kernel,1.3.16)
 
 ########################################
 #
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index a801ebac..07350731 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -470,9 +470,10 @@ template(`ssh_server_template', `
 	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_file_perms;
 	allow $1_t self:process { signal setsched setrlimit setexec };
-
-	allow $1_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-	allow $1_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+	# ssh agent connections:
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 
 	allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
 	term_create_pty($1_t,$1_devpts_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 232c0059..399e9132 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
 
-policy_module(ssh,1.3.10)
+policy_module(ssh,1.3.11)
 
 ########################################
 #
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index e6a67456..8900a5b4 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
 
-policy_module(getty,1.1.3)
+policy_module(getty,1.1.4)
 
 ########################################
 #
@@ -105,6 +105,20 @@ logging_send_syslog_msg(getty_t)
 
 miscfiles_read_localization(getty_t)
 
+ifdef(`distro_gentoo',`
+	# Gentoo default /etc/issue makes agetty
+	# do a DNS lookup for the hostname
+	dontaudit getty_t self:udp_socket create_socket_perms;
+
+	corenet_dontaudit_non_ipsec_sendrecv(getty_t)
+	corenet_dontaudit_udp_sendrecv_generic_if(getty_t)
+	corenet_dontaudit_udp_sendrecv_all_nodes(getty_t)
+	corenet_dontaudit_udp_sendrecv_dns_port(getty_t)
+	corenet_dontaudit_sendrecv_dns_client_packets(getty_t)
+
+	sysnet_dontaudit_read_config(getty_t)
+')
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(getty_t)
 	term_dontaudit_use_generic_ptys(getty_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2ee4fe08..d35db82d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.23)
+policy_module(init,1.3.24)
 
 gen_require(`
 	class passwd rootok;
@@ -411,6 +411,12 @@ ifdef(`distro_gentoo',`
 	dev_create_generic_dirs(initrc_t)
 	term_create_console_dev(initrc_t)
 
+	# unfortunately /sbin/rc does stupid tricks
+	# with /dev/.rcboot to decide if we are in
+	# early init
+	dev_create_generic_dirs(initrc_t)
+	dev_delete_generic_dirs(initrc_t)
+
 	# needed until baselayout is fixed to have the
 	# restorecon on /dev to again be immediately after
 	# mounting tmpfs on /dev
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 5184b747..4e702a83 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.1.5)
+policy_module(modutils,1.1.6)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -277,6 +277,7 @@ userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
 
 ifdef(`distro_gentoo',`
 	files_search_pids(update_modules_t)
+	files_getattr_usr_src_files(update_modules_t)
 
 	optional_policy(`
 		consoletype_exec(update_modules_t)