targeted and redhat cleanups

refpolicy/Changelog

@@ -1,3 +1,6 @@
+- Make logrotate, sendmail, sshd, and rpm policies
+  unconfined in the targeted policy so no special
+  modules.conf is required.
 - Add experimental MCS support.
 - Add appconfig for MLS.
 - Add equivalents for old can_resolve(), can_ldap(), and

refpolicy/Makefile

@@ -27,7 +27,9 @@
 #OUTPUT_POLICY = 18
 
 # Policy Type
-# strict, targeted, strict-mls, targeted-mls
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
 TYPE = strict
 
 # Policy Name
@@ -45,6 +47,13 @@ NAME = refpolicy
 # Fedora users should enable redhat.
 #DISTRO = redhat
 
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=n
+
 # Build monolithic policy.  Putting n here
 # will build a loadable module policy.
 MONOLITHIC=y
@@ -139,6 +148,10 @@ ifeq ($(NAME),)
 	NAME := $(TYPE)
 endif
 
+ifeq ($(DIRECT_INITRC),y)
+	override M4PARAM += -D direct_sysadm_daemon
+endif
+
 # determine the policy version and current kernel version if possible
 PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
 KV := $(shell cat /selinux/policyvers)

refpolicy/policy/modules.conf.targeted_example

@@ -1,493 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from  being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module.  "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: system
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: system
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-# 
-rpm = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-# 
-logrotate = off
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-# 
-consoletype = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-# 
-acct = module
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-# 
-tmpreaper = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-# 
-updfstab = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = off
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-# 
-quota = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-# 
-firstboot = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-# 
-gpg = off
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-# 
-loadkeys = module
-
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-# 
-remotelogin = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-# 
-nscd = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-# 
-nis = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-# 
-sendmail = off
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = off
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-# 
-cron = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-# 
-inetd = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-# 
-kerberos = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-# 
-mta = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-# 
-mysql = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-# 
-tcpd = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-# 
-rshd = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-# 
-ldap = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-# 
-gpm = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-# 
-howl = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-# 
-rsync = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-# 
-privoxy = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-# 
-bind = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-# 
-pcmcia = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Layer: system
-# Module: corecommands
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
-corecommands = base
-
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-# 
-hotplug = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-# 
-raid = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-

refpolicy/policy/modules/admin/logrotate.te

@@ -6,9 +6,10 @@ policy_module(logrotate,1.0)
 # Declarations
 #
 
-type logrotate_t; #, priv_system_role
+type logrotate_t;
 domain_type(logrotate_t)
 domain_obj_id_change_exempt(logrotate_t)
+domain_system_change_exempt(logrotate_t)
 role system_r types logrotate_t;
 
 type logrotate_exec_t;
@@ -126,6 +127,10 @@ ifdef(`distro_debian', `
 	can_exec(logrotate_t, logrotate_exec_t)
 ')
 
+ifdef(`targeted_policy',`
+	unconfined_domain_template(logrotate_t)
+')
+
 optional_policy(`acct.te',`
 	acct_domtrans(logrotate_t)
 	acct_manage_data(logrotate_t)

refpolicy/policy/modules/admin/rpm.te

@@ -169,6 +169,10 @@ sysnet_read_config(rpm_t)
 
 userdom_use_unpriv_users_fd(rpm_t)
 
+ifdef(`targeted_policy',`
+	unconfined_domain_template(rpm_t)
+')
+
 optional_policy(`cron.te',`
 	cron_system_entry(rpm_t,rpm_exec_t)
 ')
@@ -310,11 +314,8 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
-# this should be tunable_policy, but
-# typeattribute does not work in conditionals
-ifdef(`unlimitedRPM',`
+ifdef(`targeted_policy',`
 	unconfined_domain_template(rpm_t)
-	unconfined_domain_template(rpm_script_t)
 ')
 
 tunable_policy(`allow_execmem',`

refpolicy/policy/modules/services/dbus.if

@@ -220,3 +220,20 @@ interface(`dbus_send_system_bus_msg',`
 
 	allow $1 system_dbusd_t:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+	gen_require(`
+		type system_dbusd_t;
+		class dbus all_dbus_perms;
+	')
+
+	allow $1 system_dbusd_t:dbus *;
+')

refpolicy/policy/modules/services/dbus.te

@@ -15,7 +15,7 @@ files_type(dbusd_etc_t)
 
 type system_dbusd_t alias dbusd_t;
 type system_dbusd_exec_t;
-init_daemon_domain(system_dbusd_t,system_dbusd_exec_t)
+init_system_domain(system_dbusd_t,system_dbusd_exec_t)
 
 type system_dbusd_tmp_t;
 files_tmp_file(system_dbusd_tmp_t)

refpolicy/policy/modules/services/sendmail.te

@@ -102,7 +102,8 @@ mta_rw_aliases(sendmail_t)
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
 
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+	unconfined_domain_template(sendmail_t)
 	term_dontaudit_use_unallocated_tty(sendmail_t)
 	term_dontaudit_use_generic_pty(sendmail_t)
 	files_dontaudit_read_root_file(sendmail_t)

refpolicy/policy/modules/services/ssh.te

@@ -72,6 +72,10 @@ auth_exec_pam(sshd_t)
 
 seutil_read_config(sshd_t)
 
+ifdef(`targeted_policy',`
+	unconfined_domain_template(sshd_t)
+')
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to

refpolicy/policy/modules/system/corecommands.te

@@ -12,12 +12,6 @@ policy_module(corecommands,1.0)
 type bin_t;
 files_type(bin_t)
 
-ifdef(`targeted_policy',`
-	# Define some type aliases to help with compatibility with
-	# macros and domains from the "strict" policy.
-	typealias bin_t alias su_exec_t;
-')
-
 #
 # sbin_t is the type of files in the system sbin directories.
 #

refpolicy/policy/modules/system/files.if

@@ -2568,8 +2568,6 @@ interface(`files_manage_generic_spools',`
 interface(`files_unconfined',`
 	gen_require(`
 		attribute file_type;
-		class unix_stream_socket name_bind;
-		class unix_dgram_socket name_bind;
 	')
 
 	# Create/access any file in a labeled filesystem;
@@ -2582,4 +2580,10 @@ interface(`files_unconfined',`
 	# Bind to any network address.
 	# cjp: need to check this, I dont think this has any effect.
 	allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+	ifdef(`targeted_policy',`
+		tunable_policy(`allow_execmod',`
+			allow $1 file_type:file execmod;
+		')
+	')
 ')

refpolicy/policy/modules/system/unconfined.if

@@ -9,6 +9,11 @@
 ## </param>
 #
 template(`unconfined_domain_template',`
+	gen_require(`
+		class dbus all_dbus_perms;
+		class nscd all_nscd_perms;
+		class passwd all_passwd_perms;
+	')
 
 	# Use any Linux capability.
 	allow $1 self:capability *;
@@ -52,6 +57,11 @@ template(`unconfined_domain_template',`
 		bootloader_manage_kernel_modules($1)
 	')
 
+	optional_policy(`dbus.te', `
+		# Communicate via dbusd.
+		dbus_system_bus_unconfined($1)
+	')
+
 	optional_policy(`nscd.te', `
 		nscd_unconfined($1)
 	')
@@ -67,20 +77,12 @@ template(`unconfined_domain_template',`
 
 	ifdef(`TODO',`
 	if (allow_execmod) {
-		ifdef(`targeted_policy', `
-			allow $1 file_type:file execmod;
-		', `
+		ifdef(`targeted_policy', `', `
 			# Allow text relocations on system shared libraries, e.g. libGL.
 			allow $1 texrel_shlib_t:file execmod;
 			allow $1 home_type:file execmod;
 		')
 	}
-
-	ifdef(`dbusd.te', `
-		# Communicate via dbusd.
-		allow $1 system_dbusd_t:dbus *;
-	')
-
 	') dnl end TODO
 ')
 

refpolicy/policy/modules/system/unconfined.te

@@ -25,14 +25,14 @@ ifdef(`targeted_policy',`
 
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
-	typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+	# cjp: remove xdm_t when we get to that module
+	typealias unconfined_t alias { secadm_t sysadm_t xdm_t };
 
 	init_domtrans_script(unconfined_t)
 
 	userdom_unconfined(unconfined_t)
 
 	ifdef(`TODO',`
-	#cjp: why is this needed?
 	ifdef(`samba.te', `samba_domain(user)')
 	') dnl end TODO
 ')

refpolicy/policy/modules/system/userdomain.if

@@ -731,6 +731,10 @@ template(`unpriv_user_template', `
 ## </param>
 #
 template(`admin_user_template',`
+	gen_require(`
+		class passwd { passwd chfn chsh rootok crontab };
+	')
+
 	##############################
 	#
 	# Declarations
@@ -743,8 +747,9 @@ template(`admin_user_template',`
 	domain_obj_id_change_exempt($1_t)
 	role system_r types $1_t;
 
-	#ifdef(`direct_sysadm_daemon', `, priv_system_role')
-	#; dnl end of sysadm_t type declaration
+	ifdef(`direct_sysadm_daemon',`
+		domain_system_change_exempt($1_t)
+	')
 	
 	typeattribute $1_devpts_t admin_terminal;
 

tools/regression.sh

@@ -1,16 +1,15 @@
 #!/bin/bash
 
 DISTROS="redhat gentoo debian suse"
-STRICT_TYPES="strict strict-mls strict-mcs"
-TARG_TYPES="targeted targeted-mls targeted-mcs"
+TYPES="strict strict-mls strict-mcs targeted targeted-mls targeted-mcs"
 POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
 SETFILES="/usr/sbin/setfiles"
 
 do_test() {
 	local OPTS=""
 
-	for i in $STRICT_TYPES; do
-		OPTS="TYPE=$i QUIET=@"
+	for i in $TYPES; do
+		OPTS="TYPE=$i QUIET=@ DIRECT_INITRC=y"
 		[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
 		make bare || exit 1
 		echo "**** Options: $OPTS ****"
@@ -19,19 +18,6 @@ do_test() {
 		make $OPTS file_contexts || exit 1
 		$SETFILES -q -c policy.$POLVER file_contexts || exit 1
 	done
-
-	# need a specific config for targeted policy
-	for i in $TARG_TYPES; do
-		OPTS="TYPE=$i QUIET=@"
-		[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
-		make bare || exit 1
-		echo "**** Options: $OPTS ****"
-		cp policy/modules.conf.targeted_example policy/modules.conf
-		make $OPTS conf || exit 1
-		make $OPTS || exit 1
-		make $OPTS file_contexts || exit 1
-		$SETFILES -q -c policy.$POLVER file_contexts|| exit 1
-	done
 }
 
 # first to generic test