From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 24 Jan 2011 01:44:05 +0100
Subject: [refpolicy] [PATCH/RFC 6/19]: patch set to update the git reference
	policy
Message-ID: <1295829845.3862.65.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if
--- refpolicy-git-18012011/policy/modules/kernel/files.if	2011-01-08 19:07:21.203735196 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/files.if	2011-01-18 23:13:49.759847386 +0100
@@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
 
 ########################################
 ## <summary>
+##      Set the attributes of the /bin directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_setattr_bin_dirs',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir setattr;
+')
+
+########################################
+## <summary>
+##      Search the content of /bin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_search_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##      Get the attributes of files in /bin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_getattr_bin_files',`
+        gen_require(`
+                type bin_t;
+        ')
+
+        getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##      Read generic files in /bin.
+## </summary>
+## <desc>
+##      <p>
+##      Allow the specified domain to read generic
+##      files in /bin. These files are various program
+##      files that do not have more specific SELinux types.
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir list_dir_perms;
+	read_files_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##      Execute generic programs in /bin in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_exec_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir list_dir_perms;
+	exec_files_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##      Read symbolic links in /bin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the /usr directory.
 ## </summary>
 ## <param name="domain">
@@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
 
 ########################################
 ## <summary>
-##	Search the content of /etc.
+##	Search the content of /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
 ')
 
 ########################################
+## <summary>
+##      Get the attributes of the /var/log directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_getattr_var_log_dirs',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	getattr_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+##      Search the /var/log directory.
+## </summary>
+## <desc>
+##      <p>
+##      Search the /var/log directory.  This is
+##      necessary to access files or directories under
+##      /var/log that have a private type.  For example, a
+##      domain accessing a private log file in the
+##      /var/log directory:
+##      </p>
+##      <p>
+##      allow mydomain_t mylogfile_t:file read_file_perms;
+##      files_search_var_log(mydomain_t)
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_log',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	search_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to search the
+##      contents of /var/log.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_log',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##      List the contents of the /var/log directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_list_var_log',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_log_t)
+')
+
+###########################################
+## <summary>
+##      Read-write /var/log directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_rw_var_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	rw_dirs_pattern($1, var_log_t, var_log_t)
+')
+
+###########################################
+## <summary>
+##      Append to files in the /var/log directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_var_log_append',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	append_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+##      Create objects in the /var/log directory
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="file_type">
+##      <summary>
+##      The type of the object to be created
+##      </summary>
+## </param>
+## <param name="object_class">
+##      <summary>
+##      The object class.
+##      </summary>
+## </param>
+#
+interface(`files_var_log_filetrans',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+##      Read generic files in /var/log.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_read_var_log_files',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	allow $1 var_log_t:dir list_dir_perms;
+	read_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
+## <summary>
+##      Read generic symbolic links in /var/log
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_read_var_log_symlinks',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
 ## <summary>
 ##	Search the locks directory (/var/lock).
 ## </summary>
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if
--- refpolicy-git-18012011/policy/modules/kernel/kernel.if	2011-01-17 19:36:10.808130722 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if	2011-01-19 18:48:36.830593580 +0100
@@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
 
 ########################################
 ## <summary>
+##      Allows to search the base
+##      directory of sysctls.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+##
+#
+interface(`kernel_search_sysctl',`
+        gen_require(`
+                type sysctl_t;
+        ')
+
+        allow $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
@@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
 ')
 
 ########################################
+## <summary>
+##      Allow caller to search filesystem sysctls.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_search_fs_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_fs_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
 ## <summary>
 ##	Read filesystem sysctls.
 ## </summary>