Cleanup samhain.if.

* Rearrange rules in the template.
* Remove samhain_etc_t:dir perms since there are no such dirs.
* Add extra docs in samhain_domtrans().
* Include samhaind_t in admin interface process perms.

policy/modules/services/samhain.if

@@ -29,7 +29,14 @@ template(`samhain_service_template',`
 	allow $1_t self:fd use;
 	allow $1_t self:process { setsched setrlimit signull };
 
-	read_files_pattern($1_t, etc_t, samhain_etc_t)
+	allow $1_t samhain_etc_t:file read_file_perms;
+	files_search_etc($1_t)
+
+	manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
+	logging_log_filetrans($1_t, samhain_log_t, file)
+
+	manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
+	files_pid_filetrans($1_t, samhain_var_run_t, file)
 
 	# Samhain needs to get the attribute of /proc/kcore.
 	kernel_getattr_core_if($1_t)
@@ -41,19 +48,6 @@ template(`samhain_service_template',`
 	dev_read_urand($1_t)
 	dev_dontaudit_read_rand($1_t)
 
-	manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
-	files_pid_filetrans($1_t, samhain_var_run_t, file)
-
-	manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
-	logging_log_filetrans($1_t, samhain_log_t, file)
-
-	# Samhain pid, log and log.lock files are all in directories of s0,
-	# while samhain daemon is running with the clearance level.
-	mls_file_write_all_levels($1_t)
-
-	# Read from utmp when monitoring login/logout events.
-	auth_read_login_records($1_t)
-
 	# Get the attributes of all kinds of files in the rootfs.
 	dev_getattr_all_blk_files($1_t)
 	dev_getattr_all_chr_files($1_t)
@@ -63,17 +57,12 @@ template(`samhain_service_template',`
 	files_getattr_all_dirs($1_t)
 	files_getattr_all_files($1_t)
 	files_getattr_all_symlinks($1_t)
-
 	files_getattr_all_pipes($1_t)
 	files_getattr_all_sockets($1_t)
 	files_getattr_all_mountpoints($1_t)
-
 	files_read_all_files($1_t)
 	files_read_all_symlinks($1_t)
 
-	# Read from wtmp when monitoring login/logout events.
-	init_read_utmp($1_t)
-
 	# Get the attribute of other filesystems mountpoint, such as /selinux
 	# /proc, /sys and /tmp, but not the contents inside, which suggests
 	# that following rules should be set in samhain configuration file:
@@ -89,6 +78,16 @@ template(`samhain_service_template',`
 	#    dir = -1/selinux
 	fs_getattr_all_dirs($1_t)
 
+	# Samhain pid, log and log.lock files are all in directories of s0,
+	# while samhain daemon is running with the clearance level.
+	mls_file_write_all_levels($1_t)
+
+	# Read from utmp when monitoring login/logout events.
+	auth_read_login_records($1_t)
+
+	# Read from wtmp when monitoring login/logout events.
+	init_read_utmp($1_t)
+
 	logging_send_syslog_msg($1_t)
 ')
 
@@ -118,6 +117,10 @@ interface(`samhain_domtrans',`
 ## </summary>
 ## <desc>
 ##	<p>
+##	Execute samhain in the samhain domain with the clearance security
+##	level and allow the specifiled role the samhain domain.
+##	</p>
+##	<p>
 ##	The range_transition rule used in this interface requires that
 ##	the calling domain should have the clearance security level
 ##	otherwise the MLS constraint for process transition would fail.
@@ -163,8 +166,8 @@ interface(`samhain_manage_config_files',`
 		type samhain_etc_t;
 	')
 
-	files_search_etc($1)
-	manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
+	files_rw_etc_dirs($1)
+	allow $1 samhain_etc_t:file manage_file_perms;
 ')
 
 ########################################
@@ -264,13 +267,16 @@ interface(`samhain_manage_pid_files',`
 #
 interface(`samhain_admin',`
 	gen_require(`
-		type samhain_t, samhain_db_t, samhain_etc_t;
+		type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
 		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
 	')
 
 	allow $1 samhain_t:process { ptrace signal_perms };
 	ps_process_pattern($1, samhain_t)
 
+	allow $1 samhaind_t:process { ptrace signal_perms };
+	ps_process_pattern($1, samhaind_t)
+
 	files_list_var_lib($1)
 	admin_pattern($1, samhain_db_t)