add ssp patch and move some domain_(base_)?_type() rules to the TE file.

refpolicy/Changelog

@@ -1,3 +1,8 @@
+- Move some rules out of domain_type() and domain_base_type()
+  to the TE file, to use the domain attribute to take advantage
+  of space savings from attribute use.
+- Add global stack smashing protector rule for urandom access from
+  Petre Rodan.
 - Fix temporary rules at the bottom of portmap.
 - Updated comments in mls file from Chad Hanson.
 - Added modules:

refpolicy/policy/global_tunables

@@ -24,7 +24,6 @@ gen_tunable(allow_cvs_read_shadow,false)
 ## </desc>
 gen_tunable(allow_execheap,false)
 
-
 ## <desc>
 ## <p>
 ## Allow making anonymous memory executable, e.g. 
@@ -145,6 +144,19 @@ gen_tunable(ftp_home_dir,false)
 ## </desc>
 gen_tunable(ftpd_is_daemon,false)
 
+## <desc>
+## <p>
+## Enable reading of urandom for all domains.
+## </p>
+## <p>
+## This should be enabled when all programs
+## are compiled with ProPolice/SSP
+## stack smashing protection.  All domains will
+## be allowed to read from /dev/urandom.
+## </p>
+## </desc>
+gen_tunable(global_ssp,false)
+
 ## <desc>
 ## <p>
 ## Allow httpd to use built in scripting (usually php)

refpolicy/policy/modules/kernel/domain.if

@@ -28,26 +28,7 @@ interface(`domain_base_type',`
 		attribute domain;
 	')
 
-	# mark as a domain
 	typeattribute $1 domain;
-
-	# allow the domain to read its /proc/pid entries
-	allow $1 self:dir r_dir_perms;
-	allow $1 self:lnk_file r_file_perms;
-	allow $1 self:file rw_file_perms;
-
-	# allow $1 to create child processes in this domain
-	allow $1 self:process { fork sigchld };
-
-	ifdef(`targeted_policy',`
-		# FIXME:
-		# hack until role dominance is fixed in
-		# the module compiler
-		role secadm_r types $1;
-		role sysadm_r types $1;
-		role user_r types $1;
-		role staff_r types $1;
-	')
 ')
 
 ########################################
@@ -64,29 +45,24 @@ interface(`domain_type',`
 	# start with basic domain
 	domain_base_type($1)
 
-	# Use trusted objects in /dev
-	dev_rw_null($1)
-	dev_rw_zero($1)
-	term_use_controlling_term($1)
-
-	# read the root directory
-	files_list_root($1)
-
-	# send init a sigchld and signull
-	init_sigchld($1)
-	init_signull($1)
-
 	ifdef(`targeted_policy',`
 		unconfined_use_fds($1)
 		unconfined_sigchld($1)
 	')
 
+	# send init a sigchld and signull
+	optional_policy(`init',`
+		init_sigchld($1)
+		init_signull($1)
+	')
+
+	# these seem questionable:
+
 	# allow any domain to connect to the LDAP server
 	optional_policy(`ldap',`
 		ldap_use($1)
 	')
 
-	# these 3 seem highly questionable:
 	optional_policy(`rpm',`
 		rpm_use_fds($1)
 		rpm_read_pipes($1)

refpolicy/policy/modules/kernel/domain.te

@@ -65,3 +65,46 @@ attribute process_uncond_exempt;	# add userhelperdomain to this one
 
 neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
 neverallow ~{ domain unlabeled_t } *:process *;
+
+########################################
+#
+# Rules applied to all domains
+#
+
+# read /proc/pid entries
+allow domain self:dir r_dir_perms;
+allow domain self:lnk_file r_file_perms;
+allow domain self:file rw_file_perms;
+
+# create child processes in the domain
+allow domain self:process { fork sigchld };
+
+# Use trusted objects in /dev
+dev_rw_null(domain)
+dev_rw_zero(domain)
+term_use_controlling_term(domain)
+
+# list the root directory
+files_list_root(domain)
+
+ifdef(`targeted_policy',`
+	# RBAC is disabled in the targeted policy,
+	# as only one role is used, system_r.
+	role system_r types domain;
+
+	# FIXME:
+	# workaround until role dominance is fixed in
+	# the module compiler
+	role secadm_r types domain;
+	role sysadm_r types domain;
+	role user_r types domain;
+	role staff_r types domain;
+')
+
+tunable_policy(`global_ssp',`
+	# enable reading of urandom for all domains:
+	# this should be enabled when all programs
+	# are compiled with ProPolice/SSP
+	# stack smashing protection.
+	dev_read_urand(domain)
+')