From 3337a39ddc40df9cacd572eec6d0e290ead9b30d Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sep 22 2012 11:46:11 +0000
Subject: Changes to the cipe policy module


Module clean up
This package is no longer available

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---

diff --git a/cipe.fc b/cipe.fc
index afcdf02..c753522 100644
--- a/cipe.fc
+++ b/cipe.fc
@@ -1,4 +1,3 @@
-#
-# /usr
-#
+/etc/rc\.d/init\.d/ciped.*	--	gen_context(system_u:object_r:ciped_initrc_exec_t,s0)
+
 /usr/sbin/ciped.*	--	gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/cipe.if b/cipe.if
index b5fd668..5fb51b2 100644
--- a/cipe.if
+++ b/cipe.if
@@ -1 +1,32 @@
-## <summary>Encrypted tunnel daemon</summary>
+## <summary>Encrypted tunnel daemon.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an cipe environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cipe_admin',`
+	gen_require(`
+		type ciped_t, ciped_initrc_exec_t;
+	')
+
+	allow $1 ciped_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ciped_t)
+
+	init_labeled_script_domtrans($1, ciped_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ciped_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/cipe.te b/cipe.te
index 8e1ef38..28c8475 100644
--- a/cipe.te
+++ b/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.5.0)
+policy_module(cipe, 1.5.1)
 
 ########################################
 #
@@ -9,6 +9,9 @@ type ciped_t;
 type ciped_exec_t;
 init_daemon_domain(ciped_t, ciped_exec_t)
 
+type ciped_initrc_exec_t;
+init_script_file(ciped_initrc_exec_t)
+
 ########################################
 #
 # Local policy
@@ -18,8 +21,6 @@ allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
 dontaudit ciped_t self:capability sys_tty_config;
 allow ciped_t self:process signal_perms;
 allow ciped_t self:fifo_file rw_fifo_file_perms;
-allow ciped_t self:unix_dgram_socket create_socket_perms;
-allow ciped_t self:unix_stream_socket create_socket_perms;
 allow ciped_t self:udp_socket create_socket_perms;
 
 kernel_read_kernel_sysctls(ciped_t)
@@ -32,15 +33,14 @@ corenet_all_recvfrom_unlabeled(ciped_t)
 corenet_all_recvfrom_netlabel(ciped_t)
 corenet_udp_sendrecv_generic_if(ciped_t)
 corenet_udp_sendrecv_generic_node(ciped_t)
-corenet_udp_sendrecv_all_ports(ciped_t)
 corenet_udp_bind_generic_node(ciped_t)
-# cipe uses the afs3-bos port (udp 7007)
-corenet_udp_bind_afs_bos_port(ciped_t)
+
 corenet_sendrecv_afs_bos_server_packets(ciped_t)
+corenet_udp_bind_afs_bos_port(ciped_t)
+corenet_udp_sendrecv_afs_bos_port(ciped_t)
 
-dev_read_sysfs(ciped_t)
 dev_read_rand(ciped_t)
-# for SSP
+dev_read_sysfs(ciped_t)
 dev_read_urand(ciped_t)
 
 domain_use_interactive_fds(ciped_t)