From c3812748c36cb45980cd6cc8e38b41e4fb8126b5 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 18 Oct 2005 15:07:11 +0000
Subject: [PATCH] misc fixes

---
 refpolicy/Rules.modular                       |  2 +-
 refpolicy/policy/modules/admin/rpm.te         |  6 ++++++
 refpolicy/policy/modules/kernel/kernel.te     |  1 +
 refpolicy/policy/modules/kernel/mls.te        |  1 +
 refpolicy/policy/modules/services/dbus.te     |  2 +-
 refpolicy/policy/modules/services/privoxy.te  |  3 +++
 refpolicy/policy/modules/services/sendmail.te |  9 ---------
 refpolicy/policy/modules/services/ssh.if      |  2 +-
 refpolicy/policy/modules/services/ssh.te      | 13 ++++++++-----
 refpolicy/policy/modules/system/init.te       | 12 +++++-------
 10 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 9e90bb32..798f9896 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -1,6 +1,6 @@
 ########################################
 #
-# Rules and Targets for building monolithic policies
+# Rules and Targets for building modular policies
 #
 
 ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 9939948f..c1a39c52 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -314,6 +314,12 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
+ifdef(`distro_redhat',`
+	optional_policy(`mta.te',`
+		mta_send_mail(rpm_script_t)
+	')
+')
+
 ifdef(`targeted_policy',`
 	unconfined_domain_template(rpm_t)
 ')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index d7611ba2..0d0f6c78 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -156,6 +156,7 @@ allow kernel_t self:capability *;
 allow kernel_t unlabeled_t:dir mounton;
 
 # old general_domain_access()
+allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
 allow kernel_t self:sem create_sem_perms;
 allow kernel_t self:msg { send receive };
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index bbdabb5c..6e1c3580 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -56,6 +56,7 @@ type getty_t;
 type login_exec_t;
 type init_exec_t;
 type initrc_t;
+type sshd_exec_t;
 type su_exec_t;
 type udev_exec_t;
 type unconfined_t;
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 14dabc32..83ec8c5c 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability { dac_override setgid setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process getattr;
+allow system_dbusd_t self:process { getattr signal_perms };
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 4b5eec3d..a1d107bf 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -23,6 +23,7 @@ files_pid_file(privoxy_var_run_t)
 
 allow privoxy_t self:capability { setgid setuid };
 dontaudit privoxy_t self:capability sys_tty_config;
+allow privoxy_t self:tcp_socket create_stream_socket_perms;
 
 allow privoxy_t privoxy_log_t:file create_file_perms;
 allow privoxy_t privoxy_log_t:dir rw_dir_perms;
@@ -41,6 +42,8 @@ corenet_tcp_sendrecv_all_nodes(privoxy_t)
 corenet_raw_sendrecv_all_nodes(privoxy_t)
 corenet_tcp_sendrecv_all_ports(privoxy_t)
 corenet_tcp_bind_http_cache_port(privoxy_t)
+corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_ftp_port(privoxy_t)
 
 dev_read_sysfs(privoxy_t)
 
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 0ac4b5f0..63562437 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -130,15 +130,6 @@ optional_policy(`rhgb.te', `
 rhgb_domain(sendmail_t)
 ')
 
-#
-#  Need this transition to create /etc/aliases.db 
-#
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
-')
-')
-
 allow sendmail_t etc_mail_t:dir rw_dir_perms;
 allow sendmail_t etc_mail_t:file create_file_perms;
 # for the start script to run make -C /etc/mail
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 3f1eb12d..66ae0813 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -528,7 +528,7 @@ template(`ssh_server_template', `
 	')
 
 	optional_policy(`nscd.te',`
-		nscd_use_socket(crond_t)
+		nscd_use_socket($1_t)
 	')
 
 	ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 8935f684..efcdc31d 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -24,7 +24,15 @@ role system_r types ssh_keygen_t;
 type ssh_keysign_exec_t;
 files_type(ssh_keysign_exec_t)
 
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type sshd_exec_t;
+')
+files_type(sshd_exec_t)
+
 ssh_server_template(sshd)
+ssh_server_template(sshd_extern)
 
 # cjp: commenting this out until typeattribute works in a conditional
 #optional_policy(`inetd.te',`
@@ -39,11 +47,6 @@ ssh_server_template(sshd)
 	init_daemon_domain(sshd_t,sshd_exec_t)
 #')
 
-type sshd_exec_t;
-files_type(sshd_exec_t)
-
-ssh_server_template(sshd_extern)
-
 type sshd_key_t;
 files_type(sshd_key_t)
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9b5f8e47..9513fade 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,6 +1,10 @@
 
 policy_module(init,1.0)
 
+gen_require(`
+	class passwd rootok;
+')
+
 ########################################
 #
 # Declarations
@@ -569,13 +573,7 @@ optional_policy(`squid.te',`
 ')
 
 optional_policy(`ssh.te',`
-	optional_policy(`inetd.te',`
-		tunable_policy(`run_ssh_inetd',`',`
-			ssh_dontaudit_read_server_keys(initrc_t)
-		')
-	',`
-		ssh_dontaudit_read_server_keys(initrc_t)
-	')
+	ssh_dontaudit_read_server_keys(initrc_t)
 ')
 
 optional_policy(`sysnetwork.te',`