From 1f8a8bbbbd7eb0d86fa46aaf4a41f96c867997ec Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 21 Oct 2005 22:56:41 +0000
Subject: [PATCH] more sediff fixes

---
 refpolicy/policy/modules/kernel/kernel.te   |  2 +-
 refpolicy/policy/modules/kernel/terminal.if |  4 ++--
 refpolicy/policy/modules/services/dhcp.te   |  2 +-
 refpolicy/policy/modules/services/inn.te    |  2 +-
 refpolicy/policy/modules/system/files.if    | 19 +++++++++++++++++++
 refpolicy/policy/modules/system/init.if     |  4 ++--
 refpolicy/policy/modules/system/init.te     |  1 +
 7 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 0d0f6c78a..76417fba9 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -29,7 +29,7 @@ type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
 role system_r types kernel_t;
-sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
+sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127)
 
 #
 # DebugFS
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b9f496de6..aae3f7e4a 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -17,6 +17,7 @@ interface(`term_pty',`
 		type devpts_t;
 	')
 
+	files_type($1)
 	allow $1 devpts_t:filesystem associate;
 	typeattribute $1 ptynode;
 ')
@@ -514,10 +515,9 @@ interface(`term_use_all_user_ptys',`
 interface(`term_dontaudit_use_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
-		class chr_file { read write };
 	')
 
-	dontaudit $1 ptynode:chr_file { read write };
+	dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index 6673f768d..0d1cec940 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -24,7 +24,7 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+dontaudit dhcpd_t self:capability { net_raw net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file { read write getattr };
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 0ef9c9a56..36c4d1c94 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -30,7 +30,7 @@ files_type(news_spool_t)
 #
 allow innd_t self:capability { dac_override kill setgid setuid };
 dontaudit innd_t self:capability sys_tty_config;
-allow innd_t self:process setsched;
+allow innd_t self:process { setsched signal_perms };
 allow innd_t self:fifo_file rw_file_perms;
 allow innd_t self:tcp_socket create_stream_socket_perms;
 allow innd_t self:udp_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 5098412a7..90d5c0d42 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -325,6 +325,25 @@ interface(`files_getattr_all_files',`
 	allow $1 file_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all sockets
+##	with the type of a file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for initrc_t/distro_redhat.  I
+# do not think it has any effect.
+interface(`files_getattr_all_file_type_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:socket_class_set getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 9c27daefc..f9e572332 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -92,10 +92,10 @@ interface(`init_daemon_domain',`
 		if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
 			domain_auto_trans(initrc_t,$2,$1)
 			allow initrc_t $1:fd use;
-			allow initrc_t $1:process { noatsecure siginh rlimitinh };
 			allow $1 initrc_t:fd use;
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
+			dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 		} else {
 			can_exec(initrc_t,$2)
 			can_exec(direct_run_init,$2)
@@ -103,10 +103,10 @@ interface(`init_daemon_domain',`
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
 		allow initrc_t $1:fd use;
-		allow initrc_t $1:process { noatsecure siginh rlimitinh };
 		allow $1 initrc_t:fd use;
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
+		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 	')
 
 	optional_policy(`nscd.te',`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index a43517846..92351e30d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -418,6 +418,7 @@ ifdef(`distro_redhat',`
 	fs_use_tmpfs_chr_dev(initrc_t)
 
 	files_create_boot_flag(initrc_t)
+	files_getattr_all_file_type_sockets(initrc_t)
 
 	# readahead asks for these
 	mta_read_aliases(initrc_t)