From 73ef293bc5af2ae4de06244c863aca2905cb8685 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 1 Nov 2005 21:15:11 +0000
Subject: [PATCH] fixes just so sediff is easier to handle

---
 refpolicy/policy/modules/admin/su.if          | 23 ++++++++++++-------
 refpolicy/policy/modules/kernel/filesystem.if |  2 +-
 refpolicy/policy/modules/services/ftp.te      |  2 ++
 .../policy/modules/system/selinuxutil.te      | 23 +++++++++++++------
 4 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 5e9772258..b7fd8de10 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -206,18 +206,25 @@ template(`su_per_userdomain_template',`
 	userdom_use_user_terminals($1,$1_su_t)
 	userdom_search_user_home($1,$1_su_t)
 
-	if(secure_mode) {
-		# Only allow transitions to unprivileged user domains.
-		userdom_spec_domtrans_unpriv_users($1_su_t)
-	} else {
-		# Allow transitions to all user domains
-		userdom_spec_domtrans_all_users($1_su_t)
-	}
-
 	ifdef(`targeted_policy',`
 		corecmd_exec_bin($1_su_t)
 		userdom_manage_all_user_files($1_su_t)
 		userdom_manage_all_user_symlinks($1_su_t)
+
+		# newrole does not make any sense in
+		# the targeted policy.  This is to
+		# make sediff easier.
+		if(!secure_mode) {
+			unconfined_domtrans($1_su_t)
+		}
+	',`
+		if(secure_mode) {
+			# Only allow transitions to unprivileged user domains.
+			userdom_spec_domtrans_unpriv_users($1_su_t)
+		} else {
+			# Allow transitions to all user domains
+			userdom_spec_domtrans_all_users($1_su_t)
+		}
 	')
 
 	tunable_policy(`use_nfs_home_dirs',`
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index d537e40eb..69a835414 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -660,7 +660,7 @@ interface(`fs_execute_cifs_files',`
 ##	The type of the domain to not audit.
 ## </param>
 #
-interface(`fs_read_cifs_files',`
+interface(`fs_dontaudit_read_cifs_files',`
 	gen_require(`
 		type cifs_t;
 		class file { read write };
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 315343cc0..95770691b 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -184,6 +184,8 @@ optional_policy(`inetd.te',`
 	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
 	#')
 
+	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+
 	optional_policy(`tcpd.te',`
 		tunable_policy(`! ftpd_is_daemon',`
 			tcpd_domtrans(tcpd_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index bce4e26df..982dded7d 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -263,13 +263,22 @@ userdom_use_unpriv_users_fd(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home(newrole_t)
 
-# if secure mode is enabled, then newrole
-# can only transition to unprivileged users
-if(secure_mode) {
-	userdom_spec_domtrans_unpriv_users(newrole_t)
-} else {
-	userdom_spec_domtrans_all_users(newrole_t)
-}
+ifdef(`targeted_policy',`
+	# newrole does not make any sense in
+	# the targeted policy.  This is to
+	# make sediff easier.
+	if(!secure_mode) {
+		unconfined_domtrans(newrole_t)
+	}
+',`
+	# if secure mode is enabled, then newrole
+	# can only transition to unprivileged users
+	if(secure_mode) {
+		userdom_spec_domtrans_unpriv_users(newrole_t)
+	} else {
+		userdom_spec_domtrans_all_users(newrole_t)
+	}
+')
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(newrole_t)