From c655ec47f91afd556b811edd707dbb8c7dd8efc0 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 12 Apr 2006 16:58:23 +0000
Subject: [PATCH] second part of dans patch Tue, 11 Apr 2006 09:25:24 -0400

---
 refpolicy/policy/modules/apps/ada.fc          |  9 ++++++
 refpolicy/policy/modules/apps/ada.if          | 29 +++++++++++++++++++
 refpolicy/policy/modules/apps/ada.te          | 23 +++++++++++++++
 refpolicy/policy/modules/apps/mono.te         | 10 ++++++-
 refpolicy/policy/modules/kernel/devices.if    | 19 ++++++++++++
 refpolicy/policy/modules/kernel/devices.te    |  2 +-
 refpolicy/policy/modules/services/hal.te      |  4 ++-
 refpolicy/policy/modules/system/unconfined.te |  8 ++---
 8 files changed, 97 insertions(+), 7 deletions(-)
 create mode 100644 refpolicy/policy/modules/apps/ada.fc
 create mode 100644 refpolicy/policy/modules/apps/ada.if
 create mode 100644 refpolicy/policy/modules/apps/ada.te

diff --git a/refpolicy/policy/modules/apps/ada.fc b/refpolicy/policy/modules/apps/ada.fc
new file mode 100644
index 00000000..01a85729
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ada.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+ifdef(`targeted_policy',`
+/usr/bin/gnatbind	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls		--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/apps/ada.if b/refpolicy/policy/modules/apps/ada.if
new file mode 100644
index 00000000..6d8950f4
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ada.if
@@ -0,0 +1,29 @@
+## <summary>GNAT Ada95 compiler</summary>
+
+########################################
+## <summary>
+##	Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ada_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type ada_t, ada_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, ada_exec_t, ada_t)
+
+		allow $1 ada_t:fd use;
+		allow ada_t $1:fd use;
+		allow ada_t $1:fifo_file rw_file_perms;
+		allow ada_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --git a/refpolicy/policy/modules/apps/ada.te b/refpolicy/policy/modules/apps/ada.te
new file mode 100644
index 00000000..f8167b8d
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ada.te
@@ -0,0 +1,23 @@
+
+policy_module(ada,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ada_t;
+type ada_exec_t;
+domain_type(ada_t)
+domain_entry_file(ada_t,ada_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow ada_t self:process { execstack execmem };
+	unconfined_domain_noaudit(ada_t)
+	role system_r types ada_t;
+')
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index a3bfa8b7..1715c18d 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.1.0)
+policy_module(mono,1.1.1)
 
 ########################################
 #
@@ -21,4 +21,12 @@ ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
+
+	optional_policy(`
+		avahi_dbus_chat(mono_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(mono_t)
+	')
 ')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 1ee19c4a..62ff408c 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2530,6 +2530,25 @@ interface(`dev_list_usbfs',`
 	allow $1 usbfs_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_usbfs_files',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	allow $1 usbfs_t:dir r_dir_perms;
+	allow $1 usbfs_t:file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read USB hardware information using
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 8e9f3777..8f6bd834 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.9)
+policy_module(devices,1.1.10)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 6895d463..877926bf 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.3)
+policy_module(hal,1.3.4)
 
 ########################################
 #
@@ -80,6 +80,8 @@ dev_read_lvm_control(hald_t)
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_files(hald_t)
 dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs_files(hald_t)
 
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 06742496..1d48a909 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.4)
+policy_module(unconfined,1.3.5)
 
 ########################################
 #
@@ -41,9 +41,9 @@ ifdef(`targeted_policy',`
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
 
-#	optional_policy(`
-#		ada_domtrans(unconfined_t)
-#	')
+	optional_policy(`
+		ada_domtrans(unconfined_t)
+	')
 
 	optional_policy(`
 		amanda_domtrans_recover(unconfined_t)