update policy/support macros

- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set

policy/modules/services/ssh.te

@@ -188,7 +188,7 @@ userdom_use_user_terminals(ssh_t)
 userdom_read_user_tmp_files(ssh_t)
 
 tunable_policy(`allow_ssh_keysign',`
-	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+	domain_auto_transition_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
 	allow ssh_keysign_t ssh_t:fd use;
 	allow ssh_keysign_t ssh_t:process sigchld;
 	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;

policy/modules/services/xserver.if

@@ -940,7 +940,7 @@ interface(`xserver_xsession_spec_domtrans',`
 		type xsession_exec_t;
 	')
 
-	domain_trans($1, xsession_exec_t, $2)
+	domain_transition_pattern($1, xsession_exec_t, $2)
 ')
 
 ########################################

policy/modules/system/init.if

@@ -1315,7 +1315,7 @@ interface(`init_script_file_domtrans',`
 	')
 
 	files_list_etc($1)
-	domain_auto_trans($1, initrc_exec_t, $2)
+	domain_auto_transition_pattern($1, initrc_exec_t, $2)
 ')
 
 ########################################

policy/modules/system/userdomain.if

@@ -1739,7 +1739,7 @@ interface(`userdom_user_home_domtrans',`
 		type user_home_dir_t, user_home_t;
 	')
 
-	domain_auto_trans($1, user_home_t, $2)
+	domain_auto_transition_pattern($1, user_home_t, $2)
 	allow $1 user_home_dir_t:dir search_dir_perms;
 	files_search_home($1)
 ')

policy/support/file_patterns.spt

@@ -526,21 +526,32 @@ define(`relabel_chr_files_pattern',`
 #
 # File type_transition patterns
 #
-# filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename])
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. new object type
+# 4. object class(es)
+# [optional] 5. filename (c style strcmp ready)
 #
+
+# do not grant $2:dir remove_name
 define(`filetrans_add_pattern',`
 	allow $1 $2:dir { list_dir_perms add_entry_dir_perms };
 	type_transition $1 $2:$4 $3 $5;
 ')
 
-#
-# filetrans_pattern(domain,dirtype,newtype,class(es),[filename])
-#
 define(`filetrans_pattern',`
 	allow $1 $2:dir rw_dir_perms;
 	type_transition $1 $2:$4 $3 $5;
 ')
 
+#
+# Admin pattern for file_type
+#
+# Parameters:
+# 1. domain type
+# 2. source object type
+#
 define(`admin_pattern',`
         manage_dirs_pattern($1,$2,$2)
         manage_files_pattern($1,$2,$2)

policy/support/ipc_patterns.spt

@@ -1,6 +1,12 @@
 #
 # unix domain socket patterns
 #
+# Parameters:
+# 1. source domain type
+# 2. container (directory) type
+# 3. socket type
+# 4. target domain type
+#
 define(`stream_connect_pattern',`
 	allow $1 $2:dir search_dir_perms;
 	allow $1 $3:sock_file write_sock_file_perms;

policy/support/misc_patterns.spt

@@ -1,5 +1,10 @@
 #
-# Specified domain transition patterns
+# Common domain transition pattern perms
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
 #
 define(`domain_transition_pattern',`
 	allow $1 $2:file { getattr open read execute };
@@ -7,9 +12,21 @@ define(`domain_transition_pattern',`
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')
 
-# compatibility:
+# compatibility: Deprecated (20161201)
-define(`domain_trans',`domain_transition_pattern($*)')
+define(`domain_trans',`
+	refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.')
+	domain_transition_pattern($*)
+')
 
+
+#
+# Specified domain transition patterns
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
 define(`spec_domtrans_pattern',`
 	allow $1 self:process setexec;
 	domain_transition_pattern($1,$2,$3)
@@ -22,14 +39,31 @@ define(`spec_domtrans_pattern',`
 #
 # Automatic domain transition patterns
 #
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
 define(`domain_auto_transition_pattern',`
 	domain_transition_pattern($1,$2,$3)
 	type_transition $1 $2:process $3;
 ')
 
-# compatibility:
+# compatibility: Deprecated (20161201)
-define(`domain_auto_trans',`domain_auto_transition_pattern($*)')
+define(`domain_auto_trans',`
+	refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.')
+	domain_auto_transition_pattern($*)
+')
 
+#
+# Automatic domain transition patterns
+# with feedback permissions
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
 define(`domtrans_pattern',`
 	domain_auto_transition_pattern($1,$2,$3)
 
@@ -41,6 +75,10 @@ define(`domtrans_pattern',`
 #
 # Dynamic transition pattern
 #
+# Parameters:
+# 1. source domain
+# 2. target domain
+#
 define(`dyntrans_pattern',`
 	allow $1 self:process setcurrent;
 	allow $1 $2:process dyntransition;
@@ -48,7 +86,11 @@ define(`dyntrans_pattern',`
 ')
 
 #
-# Other process permissions
+# Read foreign domain proc data
+#
+# Parameters:
+# 1. source domain
+# 2. target domain
 #
 define(`ps_process_pattern',`
 	allow $1 $2:dir list_dir_perms;

policy/support/obj_perm_sets.spt

@@ -1,39 +1,44 @@
 ########################################
-# 
+#
 # Support macros for sets of object classes and permissions
 #
 # This file should only have object class and permission set macros - they
 # can only reference object classes and/or permissions.
 
+
+########################################
+#
+# Macros for sets of classes
+#
+
 #
 # All directory and file classes
 #
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`dir_file_class_set', `{ dir file_class_set }')
 
 #
 # All non-directory file classes.
 #
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 
 #
 # Non-device file classes.
 #
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`notdevfile_class_set', `{ fifo_file file lnk_file sock_file }')
 
 #
 # Device file classes.
 #
-define(`devfile_class_set', `{ chr_file blk_file }')
+define(`devfile_class_set', `{ blk_file chr_file }')
 
 #
 # All socket classes.
 #
 define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
 
-
 #
 # Datagram socket classes.
-# 
+#
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 
 #
@@ -41,13 +46,9 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 #
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 
-#
-# Unprivileged socket classes (exclude rawip, netlink, packet).
-#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
 
 ########################################
-# 
+#
 # Macros for sets of permissions
 #
 
@@ -58,48 +59,47 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
 
 #
 # Permissions for using sockets.
-# 
+#
 define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
-# 
+#
 define(`create_socket_perms', `{ create rw_socket_perms }')
 
 #
 # Permissions for using stream sockets.
-# 
+#
 define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
 
 #
 # Permissions for creating and using stream sockets.
-# 
+#
 define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
 
 #
 # Permissions for creating and using sockets.
-# 
+#
 define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
-# 
+#
 define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
 
-
 #
 # Permissions for creating and using netlink sockets.
-# 
+#
 define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 
 #
 # Permissions for using netlink sockets for operations that modify state.
-# 
+#
 define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 
 #
 # Permissions for using netlink sockets for operations that observe state.
-# 
+#
 define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
 
 #
@@ -116,19 +116,14 @@ define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_s
 # Permissions for using System V IPC
 #
 define(`r_sem_perms', `{ associate getattr read unix_read }')
-define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`rw_sem_perms', `{ r_sem_perms unix_write write }')
-define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`create_sem_perms', `{ create destroy rw_sem_perms setattr }')
 define(`r_msgq_perms', `{ associate getattr read unix_read }')
-define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`rw_msgq_perms', `{ enqueue r_msgq_perms unix_write write }')
-define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ create destroy rw_msgq_perms setattr }')
 define(`r_shm_perms', `{ associate getattr read unix_read }')
-define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`rw_shm_perms', `{ lock r_shm_perms unix_write write }')
-define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ create destroy lock rw_shm_perms setattr }')
-
-########################################
-#
-# New permission sets
-#
 
 #
 # Directory (dir)
@@ -251,6 +246,7 @@ define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_chr_file_perms',`{ getattr relabelto }')
 define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
 
+
 ########################################
 #
 # Special permission sets
@@ -271,3 +267,10 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
 # Keys
 #
 define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# Systemd service permission sets
+#
+define(`startstop_service_perms', `{ reload start status stop } ')
+define(`service_perms', `{ disable enable startstop_service_perms } ')
+