From fcfe684b16feb6a5d2dacd1b706e20f834953fdd Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 16 Feb 2006 16:44:00 +0000
Subject: [PATCH] remove unneeded dep

---
 refpolicy/Makefile                            |  4 ++
 refpolicy/Rules.monolithic                    |  2 +-
 refpolicy/policy/mcs                          | 13 ++++-
 refpolicy/policy/modules/kernel/devices.if    | 19 ++++++++
 refpolicy/policy/modules/kernel/mcs.fc        |  1 +
 refpolicy/policy/modules/kernel/mcs.if        | 23 +++++++++
 refpolicy/policy/modules/kernel/mcs.te        | 47 +++++++++++++++++++
 refpolicy/policy/modules/kernel/mls.te        | 30 +-----------
 .../policy/modules/services/bluetooth.te      |  1 +
 refpolicy/policy/modules/services/hal.te      |  3 ++
 refpolicy/policy/modules/services/mta.te      |  3 ++
 .../policy/modules/services/networkmanager.te |  2 +-
 refpolicy/policy/modules/services/postfix.te  |  4 ++
 refpolicy/policy/modules/system/init.fc       |  3 +-
 refpolicy/policy/modules/system/init.te       |  4 ++
 refpolicy/policy/modules/system/libraries.if  |  1 +
 .../policy/modules/system/selinuxutil.fc      |  3 ++
 .../policy/modules/system/selinuxutil.if      | 23 ++++++++-
 refpolicy/policy/modules/system/unconfined.if |  3 +-
 refpolicy/policy/modules/system/userdomain.te |  7 ++-
 20 files changed, 159 insertions(+), 37 deletions(-)
 create mode 100644 refpolicy/policy/modules/kernel/mcs.fc
 create mode 100644 refpolicy/policy/modules/kernel/mcs.if
 create mode 100644 refpolicy/policy/modules/kernel/mcs.te

diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index d8f10119..e101e2af 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -284,6 +284,10 @@ else
 	include $(ROOT)/Rules.modular
 endif
 
+test:
+	# $(MODDIR)
+	# $(ALL_LAYERS)
+
 ########################################
 #
 # Generated files
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index b383186d..d324c0bd 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -105,7 +105,7 @@ $(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES)
 	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 	$(verbose) cat $^ > $@
 
-$(TMPDIR)/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
+$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES)
 # per-userdomain templates:
 	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 	$(verbose) echo "define(\`base_per_userdomain_template',\`" > $@
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index ce5ad18c..9a39f467 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -137,15 +137,24 @@ level s0:c0.c255;
 # Only files are constrained by MCS at this stage.
 #
 mlsconstrain file { write setattr append unlink link rename
-		    create ioctl lock execute } (h1 dom h2);
+		    ioctl lock execute relabelfrom } (h1 dom h2);
+
+mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
 
 mlsconstrain file { read } ((h1 dom h2) or 
 			    ( t1 == mlsfileread ));
 
 
 # new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	( h1 dom h2 );
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { ptrace } ( h1 dom h2 );
+
+mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
+		( t1 == mcskillall );
 
 define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
 link unlink rename relabelfrom relabelto }')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 01e85511..bf599403 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2656,3 +2656,22 @@ interface(`dev_unconfined',`
 	typeattribute $1 memory_raw_write, memory_raw_read;
 ')
 
+
+########################################
+## <summary>
+##	Read and write the USB device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_usb',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 usb_device_t:chr_file { read write };
+')
diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc
new file mode 100644
index 00000000..fa8a4b15
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/mcs.fc
@@ -0,0 +1 @@
+# no MCS file contexts
diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if
new file mode 100644
index 00000000..1ceab9f7
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/mcs.if
@@ -0,0 +1,23 @@
+## <summary>Multicategory security policy</summary>
+## <required val="true">
+##	Contains attributes used in MCS policy.
+## </required>
+
+########################################
+## <summary>
+##	This domain is allowed to sigkill and sigstop 
+##	all domains regardless of their MCS level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`mcs_killall',`
+	gen_require(`
+		attribute mcskillall;
+	')
+
+	typeattribute $1 mcskillall;
+')
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
new file mode 100644
index 00000000..260d9503
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -0,0 +1,47 @@
+
+policy_module(mcs,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mcskillall;
+
+########################################
+#
+# THIS IS A HACK
+#
+# Only the base module can have range_transitions, so we
+# temporarily have to break encapsulation to work around this.
+#
+
+type auditd_exec_t;
+type crond_exec_t;
+type cupsd_exec_t;
+type getty_t;
+type init_t;
+type init_exec_t;
+type initrc_t;
+type initrc_exec_t;
+type login_exec_t;
+type sshd_exec_t;
+type su_exec_t;
+type udev_exec_t;
+type unconfined_t;
+type xdm_exec_t;
+
+ifdef(`enable_mcs',`
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+
+# these might be targeted_policy only
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t initrc_exec_t s0;
+')
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 0b66165b..765b0651 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -53,38 +53,10 @@ attribute mlsrangetrans;
 #
 # Only the base module can have range_transitions, so we
 # temporarily have to break encapsulation to work around this.
+# Other types are declared in the mcs module.
 #
 
-type auditd_exec_t;
-type crond_exec_t;
-type cupsd_exec_t;
-type getty_t;
-type init_t;
-type init_exec_t;
-type initrc_t;
-type initrc_exec_t;
-type login_exec_t;
 type lvm_exec_t;
-type sshd_exec_t;
-type su_exec_t;
-type udev_exec_t;
-type unconfined_t;
-type xdm_exec_t;
-
-ifdef(`enable_mcs',`
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-
-# these might be targeted_policy only
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-range_transition unconfined_t initrc_exec_t s0;
-')
 
 ifdef(`enable_mls',`
 range_transition initrc_t auditd_exec_t s15:c0.c255;
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index b8305fd8..143dd7e0 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -101,6 +101,7 @@ corenet_udp_bind_all_nodes(bluetooth_t)
 
 dev_read_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
+dev_rw_usb(bluetooth_t)
 dev_read_urand(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8e85e00a..62131f9d 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -97,6 +97,8 @@ fs_search_auto_mountpoints(hald_t)
 
 mls_file_read_up(hald_t)
 
+modutils_domtrans_insmod(hald_t)
+
 selinux_get_fs_mount(hald_t)
 selinux_validate_context(hald_t)
 selinux_compute_access_vector(hald_t)
@@ -128,6 +130,7 @@ libs_exec_ld_so(hald_t)
 libs_exec_lib_files(hald_t)
 
 logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
 
 miscfiles_read_localization(hald_t)
 miscfiles_read_hwdata(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 91c90a8d..5cae9f4c 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -44,6 +44,9 @@ role system_r types system_mail_t;
 # System mail local policy
 #
 
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override };
+
 allow system_mail_t etc_mail_t:dir { getattr search };
 allow system_mail_t etc_mail_t:file r_file_perms;
 
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index d2576449..8cafe537 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid
 dontaudit NetworkManager_t self:capability sys_tty_config;
 allow NetworkManager_t self:process { setcap getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
 allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index f54a670e..37d09ee5 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -273,6 +273,8 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms;
 corecmd_exec_shell(postfix_local_t)
 corecmd_exec_bin(postfix_local_t)
 
+files_read_etc_files(postfix_local_t)
+
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
@@ -395,6 +397,8 @@ allow postfix_pipe_t self:fifo_file { read write };
 allow postfix_pipe_t postfix_private_t:dir search;
 allow postfix_pipe_t postfix_private_t:sock_file write;
 
+allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
+
 allow postfix_pipe_t postfix_spool_t:dir search;
 allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
 
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index 8a11fb66..4515bbba 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -22,7 +22,8 @@ ifdef(`targeted_policy', `', `
 #
 # /sbin
 #
-/sbin/init		--	gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+
 
 ifdef(`distro_gentoo', `
 /sbin/rc			--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 2df80252..6d00dd64 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -155,6 +155,8 @@ libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
 logging_rw_generic_logs(init_t)
 
+mcs_killall(init_t)
+
 mls_file_read_up(init_t)
 mls_file_write_down(init_t)
 mls_rangetrans_target(init_t)
@@ -360,6 +362,8 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_certs(initrc_t)
 
+mcs_killall(initrc_t)
+
 mls_file_read_up(initrc_t)
 mls_file_write_down(initrc_t)
 mls_process_read_up(initrc_t)
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index a53d3383..3d646fe7 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -283,6 +283,7 @@ interface(`libs_manage_lib_files',`
 
 	allow $1 lib_t:dir search_dir_perms;
 	allow $1 lib_t:file manage_file_perms;
+	allow $1 lib_t:lnk_file unlink;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc
index 8364ca48..dec2ff1b 100644
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ b/refpolicy/policy/modules/system/selinuxutil.fc
@@ -10,6 +10,7 @@
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
+/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
 /etc/selinux/([^/]*/)?users(/.*)?	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
 
@@ -39,3 +40,5 @@
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
 ')
+
+/usr/sbin/semodule		--	gen_context(system_u:object_r:semodule_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 606c5112..70792e9f 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -585,6 +585,28 @@ interface(`seutil_read_file_contexts',`
 	allow $1 file_context_t:lnk_file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Read and write the file_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_rw_file_contexts',`
+	gen_require(`
+		type selinux_config_t, file_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search;
+	allow $1 file_context_t:dir r_dir_perms;
+	allow $1 file_context_t:file rw_file_perms;
+	allow $1 file_context_t:lnk_file { getattr read };
+')
+
 ########################################
 #
 # seutil_read_bin_policy(domain)
@@ -683,4 +705,3 @@ interface(`seutil_manage_src_policy',`
 	allow $1 policy_src_t:dir create_dir_perms;
 	allow $1 policy_src_t:file create_file_perms;
 ')
-
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index e63d8278..bc32cd79 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -55,10 +55,11 @@ interface(`unconfined_domain_noaudit',`
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
+		auditallow $1 self:process execstack;
 	', `
 		# These are fairly common but seem to be harmless
 		# caused by using shared libraries built with old tool chains
-		dontaudit $1 self:process execstack;
+		#dontaudit $1 self:process execstack;
 	')
 
 
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index ac593ef2..c2271525 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -165,9 +165,13 @@ ifdef(`targeted_policy',`
 	')
 
 	ifdef(`enable_mls',`
+		corecmd_exec_shell(secadm_t)
+		mls_process_read_up(secadm_t)
+		mls_file_write_down(secadm_t)
+		mls_file_upgrade(secadm_t)
+		mls_file_downgrade(secadm_t)
 		logging_read_audit_log(secadm_t)
 		logging_domtrans_auditctl(secadm_t)
-		mls_process_read_up(secadm_t)
 		userdom_dontaudit_append_staff_home_files(secadm_t)
 	', `
 		logging_domtrans_auditctl(sysadm_t)
@@ -354,6 +358,7 @@ ifdef(`targeted_policy',`
 			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
 		', `
 			selinux_set_enforce_mode(sysadm_t)
 			selinux_set_boolean(sysadm_t)