loadable module compile fixes

refpolicy/policy/modules/admin/netutils.te

@@ -147,10 +147,8 @@ optional_policy(`pcmcia.te',`
 	pcmcia_use_cardmgr_fd(ping_t)
 ')
 
-optional_policy(`sysnetwork.te',`
+optional_policy(`hotplug.te',`
-	optional_policy(`hotplug.te',`
+	hotplug_use_fd(ping_t)
-		hotplug_use_fd(ping_t)
-	')
 ')
 
 ifdef(`TODO',`

refpolicy/policy/modules/kernel/kernel.if

@@ -1396,7 +1396,7 @@ interface(`kernel_relabel_unlabeled',`
 #
 interface(`kernel_unconfined',`
 	gen_require(`
-		type kernel_t, unlabeled_t;
+		type kernel_t, unlabeled_t, sysctl_t;
 		attribute proc_type, sysctl_type;
 		attribute kern_unconfined;
 		attribute can_load_kernmodule, can_receive_kernel_messages;

refpolicy/policy/modules/kernel/storage.if

@@ -74,25 +74,6 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
 	dontaudit $1 fixed_disk_device_t:blk_file getattr;
 ')
 
-########################################
-## <summary>
-##	Do not audit attempts made by the caller to read
-##	fixed disk device nodes.
-## </summary>
-## <param name="domain">
-##	The type of the process to not audit.
-## </param>
-#
-interface(`storage_dontaudit_read_fixed_disk',`
-	gen_require(`
-		type removable_device_t;
-		class blk_file { getattr ioctl read };
-		
-	')
-
-	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
-')
-
 ########################################
 ## <summary>
 ##	Allow the caller to directly read from a fixed disk.
@@ -116,6 +97,24 @@ interface(`storage_raw_read_fixed_disk',`
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to read
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`storage_dontaudit_read_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+		
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly write to a fixed disk.

refpolicy/policy/modules/services/cron.te

@@ -1,6 +1,10 @@
 
 policy_module(cron, 1.0)
 
+gen_require(`
+	class passwd rootok;
+')
+
 ########################################
 #
 # Declarations

refpolicy/policy/modules/services/nscd.if

@@ -34,6 +34,7 @@ interface(`nscd_domtrans',`
 interface(`nscd_use_socket',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 	')
 
 	allow $1 self:unix_stream_socket create_socket_perms;
@@ -61,6 +62,7 @@ interface(`nscd_use_socket',`
 interface(`nscd_use_shared_mem',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 	')
 
 	allow $1 nscd_var_run_t:dir r_dir_perms;

refpolicy/policy/modules/services/postgresql.te

@@ -175,10 +175,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(postgresql_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(postgresql_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(postgresql_t)
 ')
@@ -188,6 +184,9 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(postgresql_t)
+')
 ifdef(`targeted_policy', `', `
 bool allow_user_postgresql_connect false;
 

refpolicy/policy/modules/services/samba.te

@@ -16,8 +16,8 @@ files_pid_file(nmbd_var_run_t)
 type samba_etc_t; #, usercanread;
 files_type(samba_etc_t)
 
-type samba_log_t, logfile;
+type samba_log_t;
-files_type(samba_log_t)
+logging_log_file(samba_log_t)
 
 type samba_net_t;
 domain_type(samba_net_t)

refpolicy/policy/modules/services/ssh.if

@@ -480,22 +480,24 @@ template(`ssh_server_template', `
 		fs_read_cifs_files($1_t)
 	')
 
-	optional_policy(`inetd.te',`
+	# cjp: commenting out until typeattribute works in conditional
-		tunable_policy(`run_ssh_inetd',`
+	# and require block in optional else is resolved
-			allow $1_t self:process signal;
+	#optional_policy(`inetd.te',`
-			files_list_pids($1_t)
+	#	tunable_policy(`run_ssh_inetd',`
-		',`
+	#		allow $1_t self:process signal;
-			corenet_tcp_bind_ssh_port($1_t)
+	#		files_list_pids($1_t)
-			init_use_fd($1_t)
+	#	',`
-			init_use_script_pty($1_t)
+	#		corenet_tcp_bind_ssh_port($1_t)
-		')
+	#		init_use_fd($1_t)
-	',`
+	#		init_use_script_pty($1_t)
+	#	')
+	#',`
 		# These rules should match the else block
 		# of the run_ssh_inetd tunable directly above
 		corenet_tcp_bind_ssh_port($1_t)
 		init_use_fd($1_t)
 		init_use_script_pty($1_t)
-	')
+	#')
 
 	optional_policy(`kerberos.te',`
 		kerberos_use($1_t)

refpolicy/policy/modules/system/init.if

@@ -592,11 +592,10 @@ interface(`init_dontaudit_use_script_pty',`
 #
 interface(`init_rw_script_tmp_files',`
 	gen_require(`
-		type initrc_var_run_t;
+		type initrc_tmp_t;
-		class file rw_file_perms;
 	')
 
-	# FIXME: read tmp_t dir
+	files_search_tmp($1)
 	allow $1 initrc_tmp_t:file rw_file_perms;
 ')
 

refpolicy/policy/modules/system/sysnetwork.te

@@ -140,7 +140,7 @@ miscfiles_read_localization(dhcpc_t)
 
 modutils_domtrans_insmod(dhcpc_t)
 
-userdom_dontaudit_search_staff_home_dir(sysadm_t)
+userdom_dontaudit_search_staff_home_dir(dhcpc_t)
 
 ifdef(`distro_redhat', `
 	files_exec_etc_files(dhcpc_t)

refpolicy/policy/support/loadable_module.spt

@@ -104,33 +104,33 @@ define(`optional_policy',`
 #
 define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
 
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`delcare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
 ##############################
 #
 # Tunable declaration
 #
 define(`gen_tunable',`
-	ifdef(`in_gen_require_block',`
+	ifdef(`self_contained_policy',`
-		ifdef(`self_contained_policy',`
+		bool $1 dflt_or_overr(`$1'_conf,$2);
-			bool $1;
-		',`
-			# loadable module tunable
-			# require will go here
-			# instead of bool when
-			# loadable modules support
-			# tunables
-			bool $1;
-		')
 	',`
-		ifdef(`self_contained_policy',`
+		# loadable module tunable
-			bool $1 dflt_or_overr(`$1'_conf,$2);
+		# declaration will go here
-		',`
+		# instead of bool when
-			# loadable module tunable
+		# loadable modules support
-			# declaration will go here
+		# tunables
-			# instead of bool when
+		bool $1 dflt_or_overr(`$1'_conf,$2);
-			# loadable modules support
-			# tunables
-			bool $1 dflt_or_overr(`$1'_conf,$2);
-		')
 	')
 ')
 
@@ -150,6 +150,10 @@ define(`tunable_policy',`
 		# will go here instead of a
 		# conditional when loadable
 		# modules support tunables
+		gen_require(`
+			delcare_required_symbols(`$1')
+		')
+
 		if (`$1') {
 			$2
 		} else {