From 9fe1b540b8661909154727a795ca529d375349b9 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 20 May 2010 08:54:51 -0400
Subject: [PATCH] Prelink patch from Dan Walsh.

---
 policy/modules/admin/prelink.fc |  1 +
 policy/modules/admin/prelink.if | 38 ++++++++++++++++++
 policy/modules/admin/prelink.te | 70 ++++++++++++++++++++++++++++++---
 3 files changed, 104 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc
index 0c1055d70..cfb874afa 100644
--- a/policy/modules/admin/prelink.fc
+++ b/policy/modules/admin/prelink.fc
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink	--	gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
 
 /etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
 
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index bb9b962ad..6c151d4a0 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -19,6 +19,25 @@ interface(`prelink_domtrans',`
 	domtrans_pattern($1, prelink_exec_t, prelink_t)
 ')
 
+########################################
+## <summary>
+##	Execute the prelink program in the current domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_exec',`
+	gen_require(`
+		type prelink_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, prelink_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute the prelink program in the prelink domain.
@@ -159,3 +178,22 @@ interface(`prelink_relabelfrom_lib',`
 	files_search_var_lib($1)
 	relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_relabel_lib',`
+	gen_require(`
+		type prelink_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 15621d8f1..516e5388b 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
 
-policy_module(prelink, 1.8.0)
+policy_module(prelink, 1.8.1)
 
 ########################################
 #
@@ -15,14 +15,22 @@ domain_obj_id_change_exemption(prelink_t)
 type prelink_cache_t;
 files_type(prelink_cache_t)
 
+type prelink_cron_system_t;
+type prelink_cron_system_exec_t;
+domain_type(prelink_cron_system_t)
+domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
+
 type prelink_log_t;
 logging_log_file(prelink_log_t)
 
 type prelink_tmp_t;
 files_tmp_file(prelink_tmp_t)
 
+type prelink_tmpfs_t;
+files_tmpfs_file(prelink_tmpfs_t)
+
 type prelink_var_lib_t;
-files_tmp_file(prelink_var_lib_t)
+files_type(prelink_var_lib_t)
 
 ########################################
 #
@@ -35,7 +43,6 @@ allow prelink_t self:fifo_file rw_fifo_file_perms;
 
 allow prelink_t prelink_cache_t:file manage_file_perms;
 files_etc_filetrans(prelink_t, prelink_cache_t, file)
-files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
 
 allow prelink_t prelink_log_t:dir setattr;
 create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
@@ -45,11 +52,14 @@ logging_log_filetrans(prelink_t, prelink_log_t, file)
 
 allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
+fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
 
 manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
-files_search_var_lib(prelink_t)
+relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
 
 # prelink misc objects that are not system
 # libraries or entrypoints
@@ -80,6 +90,7 @@ fs_getattr_xattr_fs(prelink_t)
 selinux_get_enforce_mode(prelink_t)
 
 libs_exec_ld_so(prelink_t)
+libs_legacy_use_shared_libs(prelink_t)
 libs_manage_ld_so(prelink_t)
 libs_relabel_ld_so(prelink_t)
 libs_manage_shared_libs(prelink_t)
@@ -98,6 +109,55 @@ optional_policy(`
 	cron_system_entry(prelink_t, prelink_exec_t)
 ')
 
+optional_policy(`
+	rpm_manage_tmp_files(prelink_t)
+')
+
 optional_policy(`
 	unconfined_domain(prelink_t)
 ')
+
+########################################
+#
+# Prelink Cron system Policy
+#
+
+optional_policy(`
+	allow prelink_cron_system_t self:capability setuid;
+	allow prelink_cron_system_t self:process { setsched setfscreate };
+	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
+
+	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+	allow prelink_cron_system_t prelink_cache_t:file unlink;
+
+	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+	allow prelink_cron_system_t prelink_t:process noatsecure;
+
+	manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
+
+	manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
+	files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+	allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
+
+	kernel_read_system_state(prelink_cron_system_t)
+
+	corecmd_exec_bin(prelink_cron_system_t)
+	corecmd_exec_shell(prelink_cron_system_t)
+
+	files_read_etc_files(prelink_cron_system_t)
+
+	init_exec(prelink_cron_system_t)
+
+	libs_exec_ld_so(prelink_cron_system_t)
+
+	logging_search_logs(prelink_cron_system_t)
+
+	miscfiles_read_localization(prelink_cron_system_t)
+
+	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+	optional_policy(`
+		rpm_read_db(prelink_cron_system_t)
+	')
+')