From: jwcart2@tycho.nsa.gov (James Carter)
Date: Wed, 25 Apr 2012 10:25:52 -0400
Subject: [refpolicy] [PATCH 4/4 v2] Changed contrib policy to use the new
 non_auth_file_type interfaces
Message-ID: <1335363952.17855.33.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.


Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 dpkg.te      |    6 +++---
 ftp.te       |    4 ++--
 portage.if   |    6 +++---
 puppet.te    |    2 +-
 rgmanager.te |    2 +-
 rpc.te       |    6 +++---
 rpm.te       |    6 +++---
 rsync.te     |    6 +++---
 samba.te     |   12 ++++++------
 snmp.te      |    2 +-
 sosreport.te |    2 +-
 sxid.te      |    2 +-
 12 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/dpkg.te b/dpkg.te
index 20ee3f5..d134e6e 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -143,8 +143,8 @@ storage_raw_write_fixed_disk(dpkg_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(dpkg_t)
 
-auth_relabel_all_files_except_auth_files(dpkg_t)
-auth_manage_all_files_except_auth_files(dpkg_t)
+files_relabel_non_auth_files(dpkg_t)
+files_manage_non_auth_files(dpkg_t)
 auth_dontaudit_read_shadow(dpkg_t)
 
 files_exec_etc_files(dpkg_t)
@@ -289,7 +289,7 @@ term_use_all_terms(dpkg_script_t)
 
 auth_dontaudit_getattr_shadow(dpkg_script_t)
 # ideally we would not need this
-auth_manage_all_files_except_auth_files(dpkg_script_t)
+files_manage_non_auth_files(dpkg_script_t)
 
 init_domtrans_script(dpkg_script_t)
 init_use_script_fds(dpkg_script_t)
diff --git a/ftp.te b/ftp.te
index 02ffdfb..df288c3 100644
--- a/ftp.te
+++ b/ftp.te
@@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
 
 tunable_policy(`allow_ftpd_full_access',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
-	auth_manage_all_files_except_auth_files(ftpd_t)
+	files_manage_non_auth_files(ftpd_t)
 ')
 
 tunable_policy(`ftp_home_dir',`
@@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
-	auth_manage_all_files_except_auth_files(sftpd_t)
+	files_manage_non_auth_files(sftpd_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
diff --git a/portage.if b/portage.if
index ce69a52..b4bb48a 100644
--- a/portage.if
+++ b/portage.if
@@ -174,9 +174,9 @@ interface(`portage_compile_domain',`
 	# needed for merging dbus:
 	selinux_compute_access_vector($1)
 
-	auth_read_all_dirs_except_auth_files($1)
-	auth_read_all_files_except_auth_files($1)
-	auth_read_all_symlinks_except_auth_files($1)
+	files_list_non_auth_dirs($1)
+	files_read_non_auth_files($1)
+	files_read_non_auth_symlinks($1)
 
 	libs_exec_lib_files($1)
 	# some config scripts use ldd
diff --git a/puppet.te b/puppet.te
index b3e7665..cab5319 100644
--- a/puppet.te
+++ b/puppet.te
@@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
 sysnet_run_ifconfig(puppet_t, system_r)
 
 tunable_policy(`puppet_manage_all_files',`
-	auth_manage_all_files_except_auth_files(puppet_t)
+	files_manage_non_auth_files(puppet_t)
 ')
 
 optional_policy(`
diff --git a/rgmanager.te b/rgmanager.te
index c537000..3740776 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
 #term_use_ptmx(rgmanager_t)
 
 # needed by resources scripts
-auth_read_all_files_except_auth_files(rgmanager_t)
+files_read_non_auth_files(rgmanager_t)
 auth_dontaudit_getattr_shadow(rgmanager_t)
 auth_use_nsswitch(rgmanager_t)
 
diff --git a/rpc.te b/rpc.te
index 62fca97..bec4a77 100644
--- a/rpc.te
+++ b/rpc.te
@@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
-	auth_manage_all_files_except_auth_files(nfsd_t)
+	files_manage_non_auth_files(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
@@ -170,8 +170,8 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
-	auth_read_all_dirs_except_auth_files(nfsd_t)
-	auth_read_all_files_except_auth_files(nfsd_t)
+	files_list_non_auth_dirs(nfsd_t)
+	files_read_non_auth_files(nfsd_t)
 ')
 
 ########################################
diff --git a/rpm.te b/rpm.te
index e9f1f16..b70ad5f 100644
--- a/rpm.te
+++ b/rpm.te
@@ -158,8 +158,8 @@ storage_raw_read_fixed_disk(rpm_t)
 
 term_list_ptys(rpm_t)
 
-auth_relabel_all_files_except_auth_files(rpm_t)
-auth_manage_all_files_except_auth_files(rpm_t)
+files_relabel_non_auth_files(rpm_t)
+files_manage_non_auth_files(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
 auth_use_nsswitch(rpm_t)
 
@@ -308,7 +308,7 @@ term_use_all_terms(rpm_script_t)
 auth_dontaudit_getattr_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)
 # ideally we would not need this
-auth_manage_all_files_except_auth_files(rpm_script_t)
+files_manage_non_auth_files(rpm_script_t)
 auth_relabel_shadow(rpm_script_t)
 
 corecmd_exec_all_executables(rpm_script_t)
diff --git a/rsync.te b/rsync.te
index 5c17e84..0ef3870 100644
--- a/rsync.te
+++ b/rsync.te
@@ -125,9 +125,9 @@ tunable_policy(`rsync_export_all_ro',`
 	fs_read_noxattr_fs_files(rsync_t)
 	fs_read_nfs_files(rsync_t)
 	fs_read_cifs_files(rsync_t)
-	auth_read_all_dirs_except_auth_files(rsync_t)
-	auth_read_all_files_except_auth_files(rsync_t)
-	auth_read_all_symlinks_except_auth_files(rsync_t)
+	files_list_non_auth_dirs(rsync_t)
+	files_read_non_auth_files(rsync_t)
+	files_read_non_auth_symlinks(rsync_t)
 	auth_tunable_read_shadow(rsync_t)
 ')
 auth_can_read_shadow_passwords(rsync_t)
diff --git a/samba.te b/samba.te
index fff6675..1ef8d5d 100644
--- a/samba.te
+++ b/samba.te
@@ -449,18 +449,18 @@ tunable_policy(`samba_create_home_dirs',`
 
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t)
-	auth_read_all_dirs_except_auth_files(smbd_t)
-	auth_read_all_files_except_auth_files(smbd_t)
+	files_list_non_auth_dirs(smbd_t)
+	files_read_non_auth_files(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t)
-	auth_read_all_dirs_except_auth_files(nmbd_t)
-	auth_read_all_files_except_auth_files(nmbd_t)
+	files_list_non_auth_dirs(nmbd_t)
+	files_read_non_auth_files(nmbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
 	fs_read_noxattr_fs_files(smbd_t)
-	auth_manage_all_files_except_auth_files(smbd_t)
+	files_manage_non_auth_files(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t)
-	auth_manage_all_files_except_auth_files(nmbd_t)
+	files_manage_non_auth_files(nmbd_t)
 	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
 ')
 
diff --git a/snmp.te b/snmp.te
index eb3c1d0..24d3033 100644
--- a/snmp.te
+++ b/snmp.te
@@ -99,7 +99,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t)
 storage_dontaudit_read_removable_device(snmpd_t)
 
 auth_use_nsswitch(snmpd_t)
-auth_read_all_dirs_except_auth_files(snmpd_t)
+files_list_non_auth_dirs(snmpd_t)
 
 init_read_utmp(snmpd_t)
 init_dontaudit_write_utmp(snmpd_t)
diff --git a/sosreport.te b/sosreport.te
index ebaff2f..5b653e3 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
 
 # some config files do not have configfile attribute
 # sosreport needs to read various files on system
-auth_read_all_files_except_auth_files(sosreport_t)
+files_read_non_auth_files(sosreport_t)
 auth_use_nsswitch(sosreport_t)
 
 init_domtrans_script(sosreport_t)
diff --git a/sxid.te b/sxid.te
index 045fb86..9154671 100644
--- a/sxid.te
+++ b/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
 
 term_dontaudit_use_console(sxid_t)
 
-auth_read_all_files_except_auth_files(sxid_t)
+files_read_non_auth_files(sxid_t)
 auth_dontaudit_getattr_shadow(sxid_t)
 
 init_use_fds(sxid_t)
-- 
1.7.7.6