xml updates and nis stuff

refpolicy/policy/modules/apps/gpg.if

@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per-userdomain template for the gpg module.
+##	The per user domain template for the gpg module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -12,9 +12,9 @@
 ##	in domains specific to the user type.
 ##	</p>
 ##	<p>
-##	This is invoked	automatically for each user, and
+##	This is invoked automatically for each user and
-##	generally does not need to be statically invoked
+##	generally does not need to be invoked directly
-##	directly by policy writers.
+##	by policy writers.
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">

refpolicy/policy/modules/services/cron.if

@@ -1,10 +1,26 @@
 ## <summary>Periodic execution of scheduled commands.</summary>
 
-########################################
+#######################################
+## <summary>
+##	The per user domain template for the cron module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for running programs on behalf of the user, from cron.
+##	A type for the user crontab is also created.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
 #
-# cron_per_userdomain_template(domainprefix)
-#
-
 template(`cron_per_userdomain_template',`
 
 	# Type of user crontabs once moved to cron spool.
@@ -213,11 +229,21 @@ template(`cron_per_userdomain_template',`
 	') dnl endif TODO
 ')
 
-########################################
+#######################################
+## <summary>
+##	The administrative functions template for the cron module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates rules for administrating the cron service,
+##	allowing the specified user to manage other user crontabs.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
 #
-# cron_admin_template(domainprefix)
-#
-
 template(`cron_admin_template',`
 	logging_read_generic_logs($1_crond_t)
 

refpolicy/policy/modules/services/ssh.if

@@ -1,5 +1,26 @@
 ## <summary>Secure shell client and server policy.</summary>
 
+#######################################
+## <summary>
+##	The per user domain template for the ssh module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for ssh client sessions and user ssh agents.  A derived
+##	type is also created to protect the user ssh keys.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+#
 template(`ssh_per_userdomain_template',`
 	##############################
 	#
@@ -103,6 +124,8 @@ template(`ssh_per_userdomain_template',`
 
 	userdom_use_unpriv_users_fd($1_ssh_t)
 
+	nis_use_ypbind($1_ssh_t)
+
 	tunable_policy(`use_dns',`
 		allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
 		corenet_udp_sendrecv_all_if($1_ssh_t)
@@ -147,9 +170,6 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t var_run_t:dir r_dir_perms;
 	allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
 
-	# Grant permissions needed to create TCP and UDP sockets and
-	# to access the network.
-	can_ypbind($1_ssh_t)
 	can_kerberos($1_ssh_t)
 
 	allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
@@ -306,9 +326,23 @@ template(`ssh_per_userdomain_template',`
 	') dnl endif TODO
 ')
 
-########################################
+#######################################
-#
+## <summary>
-#
+##	The template to define a ssh server.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domains to be used for
+##	creating a ssh server.  This is typically done
+##	to have multiple ssh servers of different sensitivities,
+##	such as for an internal network-facing ssh server, and
+##	a external network-facing ssh server.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
 #
 template(`sshd_program_domain', `
 	type $1_t, ssh_server; #, nscd_client_domain;

refpolicy/policy/modules/system/authlogin.if

@@ -1,12 +1,28 @@
 ## <summary>Common policy for authentication and user login.</summary>
 
 #######################################
+## <summary>
+##	The per user domain template for the authlogin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to authenticate users by using PAM unix_chkpwd support.
+##	This domain will be used by any programs running in the
+##	user domain which use PAM to authenticate.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
 #
-# Per user domain template for this module
+template(`authlogin_per_userdomain_template',`
-#
-# authlogin_per_userdomain_template(userdomain_prefix)
-#
-interface(`authlogin_per_userdomain_template',`
 	gen_require(`
 		attribute can_read_shadow_passwords;
 		type chkpwd_exec_t, system_chkpwd_t, shadow_t;

refpolicy/policy/modules/system/init.if

@@ -259,9 +259,9 @@ interface(`init_exec_script',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read the process state (/proc/pid) of the init scripts.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -327,9 +327,9 @@ interface(`init_get_script_process_group',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write init script unnamed pipes.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -343,6 +343,24 @@ interface(`init_rw_script_pipe',`
 	allow $1 initrc_t:fifo_file { read write };
 ')
 
+########################################
+## <summary>
+##	Send UDP network traffic to init scripts.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`init_udp_sendto_script',`
+	gen_require(`
+		type initrc_t;
+		class udp_socket { sendto recvfrom };
+	')
+
+	allow $1 initrc_t:udp_socket sendto;
+	allow initrc_t $1:udp_socket recvfrom;
+')
+
 ########################################
 #
 # init_use_script_pty(domain)
@@ -371,9 +389,9 @@ interface(`init_dontaudit_use_script_pty',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write init script temporary data.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>

refpolicy/policy/modules/system/init.te

@@ -350,6 +350,11 @@ optional_policy(`lvm.te',`
 	dev_create_generic_chr_file(initrc_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_udp_sendto_ypbind(initrc_t)
+	nis_list_var_yp(initrc_t)
+')
+
 optional_policy(`rhgb.te',`
 	corecmd_shell_entry_type(initrc_t)
 ')