From 32e53ac1b80ea98c00a4eb83f1beb4a662c08f3a Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: May 27 2005 21:56:01 +0000
Subject: cleanup inspired by sediff



---

diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 5684eab..fd03d14 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -254,6 +254,12 @@ kernel_compute_selinux_relabel_context(rpm_script_t)
 kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
 
+# ideally we would not need this
+devices_manage_generic_block_devices(rpm_script_t)
+devices_manage_generic_character_devices(rpm_script_t)
+devices_manage_all_block_devices(rpm_script_t)
+devices_manage_all_character_devices(rpm_script_t)
+
 filesystem_manage_nfs_files(rpm_script_t)
 filesystem_get_nfs_filesystem_attributes(rpm_script_t)
 # why is this not using mount?
@@ -274,6 +280,7 @@ authlogin_manage_all_files_except_shadow(rpm_script_t)
 corecommands_execute_general_programs(rpm_script_t)
 corecommands_execute_system_programs(rpm_script_t)
 
+domain_read_all_domains_process_state(rpm_script_t)
 domain_use_widely_inheritable_file_descriptors(rpm_script_t)
 domain_execute_all_entrypoint_programs(rpm_script_t)
 domain_signal_all_domains(rpm_script_t)
@@ -310,24 +317,12 @@ ifdef(`TODO',`
 
 allow rpm_script_t sysfs_t:dir r_dir_perms;
 
-# ideally we would not need this
-allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
-
 allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
 
 allow rpm_script_t autofs_t:dir { search getattr };
 
 can_ypbind(rpm_script_t)
 
-allow rpm_script_t domain:dir { search getattr read };
-allow rpm_script_t domain:{ file lnk_file } { read getattr };
-allow rpm_script_t domain:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit rpm_script_t domain:process ptrace;
-
 optional_policy(`automount.te', `
 allow rpm_script_t autofs_t:dir { search getattr };
 ')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 1480a75..2b869a8 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -298,9 +298,6 @@ devices_get_pseudorandom_data(passwd_t)
 
 filesystem_get_persistent_filesystem_attributes(passwd_t)
 
-terminal_use_all_private_physical_terminals(passwd_t)
-terminal_use_all_private_pseudoterminals(passwd_t)
-
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_script_ignore_modify_runtime_data(passwd_t)
@@ -320,7 +317,10 @@ miscfiles_read_localization(passwd_t)
 authlogin_manage_shadow_passwords(passwd_t)
 
 ifdef(`TODO',`
-role sysadm_r types passwd_t;
+
+ifdef(`firstboot.te',`
+domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
+')
 
 # Update /etc/shadow and /etc/passwd
 allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@@ -340,7 +340,7 @@ allow passwd_t shell_exec_t:file execute;
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
-in_user_role(passwd_t)
+
 # make sure that getcon succeeds
 allow passwd_t userdomain:dir search;
 allow passwd_t userdomain:file read;
@@ -356,7 +356,6 @@ allow passwd_t crack_db_t:file r_file_perms;
 ', `
 dontaudit passwd_t var_t:dir search;
 ')
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
 ') dnl endif TODO
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 3d2c5e4..51fab1f 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -220,6 +220,38 @@ class blk_file { getattr read write ioctl };
 
 ########################################
 #
+# devices_manage_generic_block_devices(domain)
+#
+define(`devices_manage_generic_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`devices_manage_generic_block_devices_depend',`
+type device_t;
+class dir { getattr search read };
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# devices_manage_generic_character_devices(domain)
+#
+define(`devices_manage_generic_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`devices_manage_generic_character_devices_depend',`
+type device_t;
+class dir { getattr search read };
+class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
 # devices_create_dev_entry(domain,file,objectclass(es))
 #
 define(`devices_create_dev_entry',`
@@ -326,6 +358,44 @@ class chr_file setattr;
 
 ########################################
 #
+# devices_manage_all_block_devices(domain)
+#
+define(`devices_manage_all_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+# these next rules are to satisfy assertions broken by the above lines.
+storage_raw_read_fixed_disk($1)
+storage_raw_write_fixed_disk($1)
+storage_read_scsi_generic($1)
+storage_write_scsi_generic($1)
+')
+
+define(`devices_manage_generic_block_devices_depend',`
+attribute device_node;
+class dir { getattr search read };
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# devices_manage_all_character_devices(domain)
+#
+define(`devices_manage_all_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 memory_raw_read, memory_raw_write;
+')
+
+define(`devices_manage_all_character_devices_depend',`
+attribute device_node, memory_raw_read, memory_raw_write;
+class dir { getattr search read };
+class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
 # devices_raw_read_memory(domain)
 #
 define(`devices_raw_read_memory',`
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 19e1466..e7ec93d 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,8 +1,17 @@
 # Copyright (C) 2005 Tresys Technology, LLC
+## <module name="hostname" layer="keyservices">
+## <summary>Policy for changing the system host name.</summary>
 
-#######################################
-#
-# hostname_transition(domain)
+########################################
+## <interface name="hostname_transition">
+##	<description>
+##		Execute hostname in the hostname domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`hostname_transition',`
 requires_block_template(`$0'_depend)
@@ -18,6 +27,36 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="hostname_transition_add_role_use_terminal">
+##	<description>
+##		Execute hostname in the hostname domain, and
+##		allow the specified role the hostname domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the hostname domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the hostname domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`hostname_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+hostname_transition($1)
+role $2 types hostname_t;
+allow hostname_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`hostname_transition_add_role_use_terminal_depend',`
+type hostname_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # hostname_execute(domain)
@@ -31,3 +70,5 @@ define(`hostname_execute_depend',`
 type hostname_exec_t;
 class file { getattr read execute execute_no_trans };
 ')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 84c3f5a..882fa9f 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -205,6 +205,11 @@ if (user_ttyfile_stat) {
 terminal_get_all_private_physical_terminal_attributes($1_t)
 }
 
+optional_policy(`usermanage.te',`
+usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+')
+
 ifdef(`TODO',`
 
 # When the user domain runs ps, there will be a number of access
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index b47b421..c816dd9 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -75,6 +75,7 @@ bool user_tcp_server false;
 # Allow w to display everyone
 bool user_ttyfile_stat false;
 
+admin_domain_template(sysadm)
 user_domain_template(staff)
 user_domain_template(user)
 
@@ -83,18 +84,38 @@ user_domain_template(user)
 # Local policy
 #
 
-#allow privhome home_root_t:dir { getattr search };
+# user role change rules:
+define(`role_change',`
+allow $1_r $2_r;
+type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+# sysadm_r can change to user roles
+role_change(sysadm, user)
+role_change(sysadm, staff)
+
+# only staff_r can change to sysadm_r
+role_change(staff, sysadm)
+
+tunable_policy(`user_canbe_sysadm',`
+role_change(user,sysadm)
+')
+
+ifdef(`TODO',`
+allow privhome home_root_t:dir { getattr search };
 
 # Add/remove user home directories
-#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+')
 
 ########################################
 #
 # Sysadm local policy
 #
 
-admin_domain_template(sysadm)
-
 # for su
 allow sysadm_t userdomain:fd use;
 
@@ -102,6 +123,14 @@ optional_policy(`bootloader.te',`
 bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')
 
+optional_policy(`clock.te',`
+clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`hostname.te',`
+hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
 optional_policy(`iptables.te',`
 iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')
@@ -142,6 +171,7 @@ optional_policy(`sysnetwork.te',`
 sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')
 
-optional_policy(`clock.te',`
-clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`usermanage.te',`
+usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')