From 9eb5e812feccbc0e0b0eba994b84e74bc037da26 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 21 Apr 2005 21:34:47 +0000
Subject: [PATCH] exec and transition interfaces, plus include mod object
 symlinks in reading modules

---
 refpolicy/policy/modules/system/modutils.if | 69 ++++++++++++++++++++-
 1 file changed, 67 insertions(+), 2 deletions(-)

diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index 365352978..cb2d02170 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -6,14 +6,15 @@
 #
 define(`modutils_read_kernel_modules',`
 requires_block_template(modutils_read_kernel_modules_depend,$2)
-allow $1 modules_object_t:file { getattr read };
 allow $1 modules_object_t:dir { getattr search read };
+allow $1 modules_object_t:{ lnk_file file } { getattr read };
 ')
 
 define(`modutils_read_kernel_modules_depend',`
 type modules_object_t;
-class file { getattr read };
 class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read };
 ')
 
 ########################################
@@ -93,3 +94,67 @@ define(`modutils_insmod_execute_depend',`
 type insmod_t;
 class file { getattr read execute execute_no_trans };
 ')
+
+########################################
+#
+# modutils_depmod_transition(domain,[`optional'])
+#
+define(`modutils_depmod_transition',`
+requires_block_template(modutils_depmod_transition_depend,$2)
+allow $1 depmod_exec_t:file { getattr read execute };
+allow $1 depmod_t:process transition;
+type_transition $1 depmod_exec_t:file depmod_t;
+dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`modutils_depmod_transition_depend',`
+type depmod_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# modutils_depmod_execute(domain,[`optional'])
+#
+define(`modutils_depmod_execute',`
+requires_block_template(modutils_depmod_execute_depend,$2)
+allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`modutils_depmod_execute_depend',`
+type depmod_t;
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+#
+# modutils_update_modules_transition(domain,[`optional'])
+#
+define(`modutils_update_modules_transition',`
+requires_block_template(modutils_update_modules_transition_depend,$2)
+allow $1 update_modules_exec_t:file { getattr read execute };
+allow $1 update_modules_t:process transition;
+type_transition $1 update_modules_exec_t:file update_modules_t;
+dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`modutils_update_modules_transition_depend',`
+type update_modules_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# modutils_update_modules_execute(domain,[`optional'])
+#
+define(`modutils_update_modules_execute',`
+requires_block_template(modutils_update_modules_execute_depend,$2)
+allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`modutils_update_modules_execute_depend',`
+type update_modules_t;
+class file { getattr read execute execute_no_trans };
+')