From d42c7ede2a15e51fec7c939ffdf0713d15b8cf1c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 24 Mar 2006 18:59:51 +0000
Subject: [PATCH] Additional interfaces in corecommands, miscfiles, and
 userdomain from Joy Latten.

---
 refpolicy/Changelog                           |   2 +
 .../policy/modules/kernel/corecommands.if     |  37 +++++-
 .../policy/modules/kernel/corecommands.te     |   2 +-
 refpolicy/policy/modules/system/miscfiles.if  |  59 ++++++++++
 refpolicy/policy/modules/system/miscfiles.te  |   2 +-
 refpolicy/policy/modules/system/userdomain.if | 109 ++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.te |   2 +-
 7 files changed, 209 insertions(+), 4 deletions(-)

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 33d8754f..c0ef05b8 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Additional interfaces in corecommands, miscfiles, and userdomain
+  from Joy Latten.
 - Miscellaneous fixes from Thomas Bleher.
 - Deprecate module name as first parameter of optional_policy()
   now that optionals are allowed everywhere.
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index 83020334..e1294159 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -39,6 +39,42 @@ interface(`corecmd_bin_alias',`
 	')
 ')
 
+########################################
+## <summary>
+##	Make general progams in bin an entrypoint for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which bin_t is an entrypoint.
+##	</summary>
+## </param>
+interface(`corecmd_bin_entry_type',`
+	gen_require(`
+		type bin_t;
+	')
+
+	domain_entry_file($1,bin_t)
+')
+
+########################################
+## <summary>
+##	Make general progams in sbin an entrypoint for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which sbin programs are an entrypoint.
+##	</summary>
+## </param>
+interface(`corecmd_sbin_entry_type',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	domain_entry_file($1,sbin_t)
+')
+
 ########################################
 ## <summary>
 ##	Make the shell an entrypoint for the specified domain.
@@ -779,4 +815,3 @@ interface(`corecmd_exec_chroot',`
 	can_exec($1,chroot_exec_t)
 	allow $1 self:capability sys_chroot;
 ')
-
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index 1185d896..75dc4f13 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.4)
+policy_module(corecommands,1.3.5)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index ac3e8f69..7838a107 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -303,3 +303,62 @@ interface(`miscfiles_exec_tetex_data',`
 	allow $1 tetex_data_t:dir r_dir_perms;
 	can_exec($1,tetex_data_t)
 ')
+
+########################################
+## <summary>
+##	Let test files be an entry point for
+##	a specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be entered.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_domain_entry_test_files',`
+	gen_require(`
+		type test_file_t;
+	')
+
+	domain_entry_file($1, test_file_t)
+')
+
+########################################
+## <summary>
+##	Read test files and directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_test_files',`
+	gen_require(`
+		type test_file_t;
+	')
+
+	allow $1 test_file_t:dir r_dir_perms;
+	allow $1 test_file_t:file r_file_perms;
+	allow $1 test_file_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute test files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_exec_test_files',`
+	gen_require(`
+		type test_file_t;
+	')
+
+	allow $1 test_file_t:dir r_dir_perms;
+	allow $1 test_file_t:lnk_file r_file_perms;
+	can_exec($1, test_file_t)
+')
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index f12850f9..3720757b 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
 
-policy_module(miscfiles,1.0.0)
+policy_module(miscfiles,1.0.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index eb07854a..dc638642 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3239,6 +3239,115 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
 	allow sysadm_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`userdom_sysadm_bin_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans(sysadm_t,$1)
+
+	allow sysadm_t $1:fd use;
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow sysadm to execute a generic sbin program in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute a generic sbin program in
+##	a specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`userdom_sysadm_sbin_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_sbin_spec_domtrans(sysadm_t, $1)
+
+	allow sysadm_t $1:fd use;
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow sysadm to execute all entrypoint files
+##	in the specified domain. This is an explicit
+##	transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute all entrypoint files
+##	in the specified domain. This is an explicit
+##	transition, requiring the caller to use setexeccon().
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`userdom_sysadm_entry_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_file_spec_domtrans(sysadm_t, $1)
+
+	allow sysadm_t $1:fd use;
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Search the staff users home directory.
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index c28ad164..fda1e87a 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.5)
+policy_module(userdomain,1.3.6)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;