From d0eddb6b0dd9b13b8986d848e1a0cc0190c96a7f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 5 May 2005 17:44:11 +0000
Subject: [PATCH] add in system_domain

---
 refpolicy/policy/modules/kernel/terminal.if | 17 ++++++-
 refpolicy/policy/modules/system/domain.if   | 53 +++++++++++++++++----
 refpolicy/policy/modules/system/domain.te   |  8 +++-
 refpolicy/policy/modules/system/files.if    | 14 ++++++
 refpolicy/policy/modules/system/init.te     |  8 ++--
 5 files changed, 83 insertions(+), 17 deletions(-)

diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 6e3cfa11..fe95e5d9 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -187,14 +187,27 @@ devices_list_device_nodes_depend
 #
 define(`terminal_use_controlling_terminal',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 devtty_t:chr_file { read write };
 ')
 
 define(`terminal_use_controlling_terminal_depend',`
 type devtty_t;
 class chr_file { read write };
-devices_list_device_nodes_depend
+')
+
+########################################
+#
+# terminal_ignore_use_controlling_terminal(domain)
+#
+define(`terminal_ignore_use_controlling_terminal',`
+requires_block_template(`$0'_depend)
+dontaudit $1 devtty_t:chr_file { read write };
+')
+
+define(`terminal_ignore_use_controlling_terminal_depend',`
+type devtty_t;
+class chr_file { read write };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index ce4c059a..f1ac710c 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -57,8 +57,8 @@ class file entrypoint;
 #
 define(`domain_make_init_domain',`
 requires_block_template(`$0'_depend)
-domain_make_domain($1,optional)
-domain_make_entrypoint_file($1,$2,optional)
+domain_make_domain($1)
+domain_make_entrypoint_file($1,$2)
 typeattribute $1 init_domain;
 typeattribute $2 init_domain_entry;
 role system_r types $1;
@@ -67,8 +67,6 @@ role system_r types $1;
 define(`domain_make_init_domain_depend',`
 attribute init_domain, init_domain_entry;
 role system_r;
-domain_make_domain_depend
-domain_make_entrypoint_file_depend
 ')
 
 ########################################
@@ -77,8 +75,8 @@ domain_make_entrypoint_file_depend
 #
 define(`domain_make_daemon_domain',`
 requires_block_template(`$0'_depend)
-domain_make_domain($1,optional)
-domain_make_entrypoint_file($1,$2,optional)
+domain_make_domain($1)
+domain_make_entrypoint_file($1,$2)
 typeattribute $1 daemon_domain;
 typeattribute $2 daemon_domain_entry;
 role system_r types $1;
@@ -87,8 +85,24 @@ role system_r types $1;
 define(`domain_make_daemon_domain_depend',`
 attribute init_domain, init_domain_entry;
 role system_r;
-domain_make_domain_depend
-domain_make_entrypoint_file_depend
+')
+
+########################################
+#
+# domain_make_system_domain(domain,entrypointfile)
+#
+define(`domain_make_system_domain',`
+requires_block_template(`$0'_depend)
+domain_make_domain($1)
+domain_make_entrypoint_file($1,$2)
+typeattribute $1 system_domain;
+typeattribute $2 system_domain_entry;
+role system_r types $1;
+')
+
+define(`domain_make_system_domain_depend',`
+attribute system_domain, system_domain_entry;
+role system_r;
 ')
 
 ########################################
@@ -140,7 +154,7 @@ define(`domain_all_init_domains_transition',`
 requires_block_template(`$0'_depend)
 allow $1 init_domain:process transition;
 allow $1 init_domain_entry:file { getattr read execute };
-dontaudit $1 daemon_domain:process { noatsecure siginh rlimitinh };
+dontaudit $1 init_domain:process { noatsecure siginh rlimitinh };
 ')
 
 define(`domain_all_init_domains_transition_depend',`
@@ -157,7 +171,7 @@ define(`domain_all_daemon_domains_transition',`
 requires_block_template(`$0'_depend)
 allow $1 daemon_domain:process transition;
 allow $1 daemon_domain_entry:file { getattr read execute };
-allow init_domain $1:fd use;
+allow daemon_domain $1:fd use;
 allow $1 daemon_domain:process { noatsecure siginh rlimitinh };
 ')
 
@@ -167,6 +181,25 @@ class process { transition noatsecure siginh rlimitinh };
 class file { getattr read execute };
 ')
 
+########################################
+#
+# domain_all_system_domains_transition(domain)
+#
+define(`domain_all_system_domains_transition',`
+requires_block_template(`$0'_depend)
+allow $1 system_domain:process transition;
+allow $1 system_domain_entry:file { getattr read execute };
+allow system_domain $1:fd use;
+allow $1 system_domain:process { noatsecure siginh rlimitinh };
+')
+
+define(`domain_all_system_domains_transition_depend',`
+attribute system_domain, system_domain_entry;
+class process { transition noatsecure siginh rlimitinh };
+class file { getattr read execute };
+')
+
+
 ########################################
 #
 # domain_signal_all_domains(domain)
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index 9eb85903..62eeef56 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -12,7 +12,13 @@ attribute entry_type;
 attribute init_domain;
 attribute init_domain_entry;
 
-# processes started by init scripts
+# short running processes started by init scripts,
+# such as mount, usually for initializing the system
+attribute system_domain;
+attribute system_domain_entry;
+
+# long running application processes started by 
+# init scripts, such as sshd
 attribute daemon_domain;
 attribute daemon_domain_entry;
 
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index d8c50e65..bb4e451d 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -500,6 +500,20 @@ type var_t;
 class dir search;
 ')
 
+########################################
+#
+# files_ignore_search_system_state_data_directory(domain)
+#
+define(`files_ignore_search_system_state_data_directory',`
+requires_block_template(`$0'_depend)
+dontaudit $1 var_t:dir search;
+')
+
+define(`files_ignore_search_system_state_data_directory_depend',`
+type var_t;
+class dir search;
+')
+
 ########################################
 #
 # files_manage_pseudorandom_saved_seed(domain)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index aa302e24..6111e34f 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -213,10 +213,6 @@ corenetwork_network_udp_on_all_ports(initrc_t)
 corenetwork_bind_tcp_on_all_nodes(initrc_t)
 corenetwork_bind_udp_on_all_nodes(initrc_t)
 
-domain_kill_all_domains(initrc_t)
-domain_read_all_domains_process_state(initrc_t)
-domain_all_daemon_domains_transition(initrc_t)
-
 devices_get_random_data(initrc_t)
 devices_get_pseudorandom_data(initrc_t)
 devices_add_entropy(initrc_t)
@@ -236,6 +232,10 @@ terminal_reset_physical_terminal_labels(initrc_t)
 
 bootloader_read_kernel_symbol_table(initrc_t)
 
+domain_kill_all_domains(initrc_t)
+domain_read_all_domains_process_state(initrc_t)
+domain_all_daemon_domains_transition(initrc_t)
+domain_all_system_domains_transition(initrc_t)
 domain_use_widely_inheritable_file_descriptors(initrc_t)
 
 libraries_modify_dynamic_loader_cache(initrc_t)