diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 359cbdc..f39a053 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -1,6 +1,10 @@
policy_module(firstboot,1.0)
+gen_require(`
+ class passwd rootok;
+')
+
########################################
#
# Declarations
@@ -111,6 +115,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(firstboot_t)
')
+optional_policy(`samba.te',`
+ samba_rw_config(firstboot_t)
+')
+
optional_policy(`usermanage.te',`
usermanage_domtrans_useradd(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
@@ -123,10 +131,6 @@ ifdef(`printconf.te', `
can_exec(firstboot_t, printconf_t)
')
-ifdef(`samba.te', `
- rw_dir_file(firstboot_t, samba_etc_t)
-')
-
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 6d0b9ba..89f26ff 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -756,8 +756,6 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',`
interface(`kernel_read_net_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
- class dir r_dir_perms;
- class file f_file_perms;
')
allow $1 proc_t:dir search;
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 2ba6b92..b597a2e 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -454,8 +454,7 @@ interface(`term_relabelto_all_user_ptys',`
interface(`term_use_all_user_ptys',`
gen_require(`
attribute ptynode;
- class dir r_dir_perms;
- class chr_file { getattr read write ioctl };
+ type devpts_t;
')
dev_list_all_dev_nodes($1)
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index b777d46..b1b0199 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -32,9 +32,6 @@
interface(`kerberos_use',`
gen_require(`
type krb5_conf_t;
- class file r_file_perms;
- class tcp_socket create_socket_perms;
- class udp_socket create_socket_perms;
')
files_search_etc($1)
@@ -71,7 +68,6 @@ interface(`kerberos_use',`
interface(`kerberos_read_config',`
gen_require(`
type krb5_conf_t;
- class files r_file_perms;
')
files_search_etc($1)
@@ -89,7 +85,6 @@ interface(`kerberos_read_config',`
interface(`kerberos_rw_config',`
gen_require(`
type krb5_conf_t;
- class files rw_file_perms;
')
files_search_etc($1)
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 1f5a0c5..d744ed9 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -11,12 +11,6 @@
interface(`nis_use_ypbind',`
gen_require(`
type var_yp_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
- class capability net_bind_service;
- class tcp_socket create_stream_socket_perms;
- class udp_socket create_socket_perms;
')
tunable_policy(`allow_ypbind',`
@@ -65,7 +59,6 @@ interface(`nis_use_ypbind',`
interface(`nis_list_var_yp',`
gen_require(`
type ypbind_t;
- class dir r_dir_perms;
')
files_search_var($1)
@@ -83,7 +76,6 @@ interface(`nis_list_var_yp',`
interface(`nis_udp_sendto_ypbind',`
gen_require(`
type ypbind_t;
- class udp_socket { sendto recvfrom };
')
allow $1 ypbind_t:udp_socket sendto;
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
index 08c7152..26740c9 100644
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@@ -11,9 +11,6 @@
interface(`nscd_domtrans',`
gen_require(`
type nscd_t, nscd_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -37,12 +34,6 @@ interface(`nscd_domtrans',`
interface(`nscd_use_socket',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class fd use;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- class unix_stream_socket { create_socket_perms connectto };
- class dir { search getattr };
- class sock_file rw_file_perms;
- class file { getattr read };
')
allow $1 self:unix_stream_socket create_socket_perms;
@@ -70,12 +61,6 @@ interface(`nscd_use_socket',`
interface(`nscd_use_shared_mem',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class fd use;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- class unix_stream_socket { create_stream_socket_perms connectto };
- class dir r_dir_perms;
- class sock_file rw_file_perms;
- class file { getattr read };
')
allow $1 nscd_var_run_t:dir r_dir_perms;
@@ -106,8 +91,6 @@ interface(`nscd_use_shared_mem',`
interface(`nscd_read_pid',`
gen_require(`
type nscd_var_run_t;
- class dir search;
- class file { getattr read };
')
files_search_pids($1)
@@ -126,6 +109,7 @@ interface(`nscd_read_pid',`
interface(`nscd_unconfined',`
gen_require(`
type nscd_t;
+ class nscd all_nscd_perms;
')
allow $1 nscd_t:nscd *;
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 0cb99bd..abb9b6e 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -1,6 +1,10 @@
policy_module(nscd,1.0)
+gen_require(`
+ class nscd { admin getstat };
+')
+
########################################
#
# Declarations
@@ -35,7 +39,6 @@ allow nscd_t self:udp_socket create_socket_perms;
# For client program operation, invoked from sysadm_t.
# Transition occurs to nscd_t due to direct_sysadm_daemon.
-# cjp: this should probably be in a direct_sysadm_daemon tunable
allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index da8ca03..567cdb2 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -52,9 +52,6 @@ template(`samba_per_userdomain_template',`
interface(`samba_domtrans_net',`
gen_require(`
type samba_net_t, samba_net_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_bin($1)
@@ -84,7 +81,6 @@ interface(`samba_domtrans_net',`
interface(`samba_run_net',`
gen_require(`
type samba_net_t;
- class chr_file rw_term_perms;
')
samba_domtrans_net($1)
@@ -103,9 +99,6 @@ interface(`samba_run_net',`
interface(`samba_domtrans_smbmount',`
gen_require(`
type smbmount_t, smbmount_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_bin($1)
@@ -129,7 +122,6 @@ interface(`samba_domtrans_smbmount',`
interface(`samba_read_config',`
gen_require(`
type samba_etc_t;
- class file { read getattr lock };
')
files_search_etc($1)
@@ -148,7 +140,6 @@ interface(`samba_read_config',`
interface(`samba_rw_config',`
gen_require(`
type samba_etc_t;
- class file rw_file_perms;
')
files_search_etc($1)
@@ -166,7 +157,6 @@ interface(`samba_rw_config',`
interface(`samba_read_log',`
gen_require(`
type samba_log_t;
- class file { read getattr lock };
')
logging_search_logs($1)
@@ -201,7 +191,6 @@ interface(`samba_exec_log',`
interface(`samba_read_secrets',`
gen_require(`
type samba_secrets_t;
- class file { read getattr lock };
')
files_search_etc($1)
@@ -219,7 +208,6 @@ interface(`samba_read_secrets',`
interface(`samba_write_smbmount_tcp_socket',`
gen_require(`
type smbmount_t;
- class tcp_socket write;
')
allow $1 smbmount_t:tcp_socket write;
@@ -236,7 +224,6 @@ interface(`samba_write_smbmount_tcp_socket',`
interface(`samba_rw_smbmount_tcp_socket',`
gen_require(`
type smbmount_t;
- class tcp_socket { read write };
')
allow $1 smbmount_t:tcp_socket { read write };
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 6f56a29..6e5af0f 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -875,12 +875,7 @@ interface(`domain_unconfined',`
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
- class fd use;
- class fifo_file rw_file_perms;
- class process { transition dyntransition execmem };
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
+ attribute unconfined_domain;
')
typeattribute $1 unconfined_domain;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index df31a4e..c22f519 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -700,7 +700,6 @@ interface(`files_mounton_default',`
interface(`files_dontaudit_getattr_default_files',`
gen_require(`
type default_t;
- class files getattr;
')
dontaudit $1 default_t:file getattr;
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index 71954e1..787957e 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -22,9 +22,11 @@ define(`policy_module',`
#
define(`gen_require',`
ifdef(`monolithic_policy',`',`
+ define(`in_gen_require_block')
require {
$1
}
+ undefine(`in_gen_require_block')
')
')
@@ -107,15 +109,28 @@ define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
# Tunable declaration
#
define(`gen_tunable',`
- ifdef(`monolithic_policy',`
- bool $1 dflt_or_overr(`$1'_conf,$2);
+ ifdef(`in_gen_require_block',`
+ ifdef(`monolithic_policy',`
+ bool $1;
+ ',`
+ # loadable module tunable
+ # declaration will go here
+ # instead of bool when
+ # loadable modules support
+ # tunables
+ bool $1;
+ ')
',`
- # loadable module tunable
- # declaration will go here
- # instead of bool when
- # loadable modules support
- # tunables
- bool $1 dflt_or_overr(`$1'_conf,$2);
+ ifdef(`monolithic_policy',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ',`
+ # loadable module tunable
+ # declaration will go here
+ # instead of bool when
+ # loadable modules support
+ # tunables
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ')
')
')