[refpolicy] [PATCH 0/8] Fixes issues identified by spt_lint.lua to non-contrib

[refpolicy] [PATCH 0/8] Fixes issues identified by spt_lint.lua to non-contrib

[James Carter]

The first seven patches cause no change in the final kernel policy, but the
last one does.

Explanations for some of the patches.

Patch 2:
spt_lint.lua looks for calls that have too many or too few arguments and it
parses the interface XML header looking for optional and unused parameters,
so by marking parameters that are unused as unused it will not falsely
report a problem.

Patches 3-6:
These patches move file contexts to the module that actually declares
the type being used in the context. Patches 4 and 6 remove dependencies
from the base module on the init module in case of patch 4 and on 
the userdomain module in the case of patch 6. Patches 3 and 5 remove
inter-module dependencies.

Patch 7:
This patch fixes interfaces that are not used in the policy. It causes
no change in the final policy.

Patch 8:
This patch changes the final kernel policy because the interface had
an undelcared type and the call to it was causing an optional block
with another call in it to be removed, but now that other call will
show up in the policy.

James Carter (8):
  Removed unnecessary semicolons
  Mark unused parameters as unused
  Move the use of var_log_t from authlogin.fc to logging.fc
  Move the use of initrc_var_run_t from files.fc to init.fc
  Move use of systemd_unit_t from systemd.fc to init.fc
  Move use of user_devpts_t from terminal.fc to userdomain.fc
  Remove undeclared identifiers from interfaces
  Remove undeclared identifiers from xserver interface

 policy/modules/kernel/corenetwork.if.in | 18 ++++++------------
 policy/modules/kernel/devices.if        |  8 ++------
 policy/modules/kernel/files.fc          |  5 -----
 policy/modules/kernel/terminal.fc       |  1 -
 policy/modules/services/xserver.if      |  9 ++-------
 policy/modules/system/authlogin.fc      |  2 --
 policy/modules/system/init.fc           |  3 +++
 policy/modules/system/ipsec.te          | 24 ++++++++++++------------
 policy/modules/system/logging.fc        |  2 ++
 policy/modules/system/logging.te        |  2 +-
 policy/modules/system/systemd.fc        |  1 -
 policy/modules/system/systemd.te        |  8 ++++----
 policy/modules/system/userdomain.fc     |  2 ++
 policy/modules/system/userdomain.if     |  8 ++++----
 14 files changed, 38 insertions(+), 55 deletions(-)

-- 
2.13.6

[refpolicy] [PATCH 1/8] Removed unnecessary semicolons

[James Carter]

Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/system/ipsec.te   | 24 ++++++++++++------------
 policy/modules/system/logging.te |  2 +-
 policy/modules/system/systemd.te |  8 ++++----
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 24737ee0..e6524fa9 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -59,7 +59,7 @@ files_pid_file(ipsec_mgmt_var_run_t)
 
 type ipsec_supervisor_t;
 type ipsec_supervisor_exec_t;
-init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t)
 role system_r types ipsec_supervisor_t;
 
 type racoon_t;
@@ -122,7 +122,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 
 kernel_read_kernel_sysctls(ipsec_t)
-kernel_rw_net_sysctls(ipsec_t);
+kernel_rw_net_sysctls(ipsec_t)
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -245,7 +245,7 @@ stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
-domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t)
 allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
@@ -467,7 +467,7 @@ allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
 
 allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
 manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
 
@@ -479,23 +479,23 @@ manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
 files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
 
-domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t)
 
 kernel_read_network_state(ipsec_supervisor_t)
 kernel_read_system_state(ipsec_supervisor_t)
-kernel_rw_net_sysctls(ipsec_supervisor_t);
+kernel_rw_net_sysctls(ipsec_supervisor_t)
 
-corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_bin(ipsec_supervisor_t)
 corecmd_exec_shell(ipsec_supervisor_t)
 
-dev_read_rand(ipsec_supervisor_t);
-dev_read_urand(ipsec_supervisor_t);
+dev_read_rand(ipsec_supervisor_t)
+dev_read_urand(ipsec_supervisor_t)
 
-files_read_etc_files(ipsec_supervisor_t);
+files_read_etc_files(ipsec_supervisor_t)
 
-logging_send_syslog_msg(ipsec_supervisor_t);
+logging_send_syslog_msg(ipsec_supervisor_t)
 
-miscfiles_read_localization(ipsec_supervisor_t);
+miscfiles_read_localization(ipsec_supervisor_t)
 
 optional_policy(`
 	modutils_domtrans(ipsec_supervisor_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c46f8ee8..0d7d9f33 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -31,7 +31,7 @@ type auditd_initrc_exec_t;
 init_script_file(auditd_initrc_exec_t)
 
 type auditd_unit_t;
-init_unit_file(auditd_unit_t);
+init_unit_file(auditd_unit_t)
 
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e55d01ca..e1a7bd54 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -776,10 +776,10 @@ allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
-manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
 init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
 
 kernel_read_system_state(systemd_passwd_agent_t)
-- 
2.13.6

[refpolicy] [PATCH 2/8] Mark unused parameters as unused

[James Carter]

Marked unused parameters as unused in the interfaces listed below.

userdomain.if:userdom_ro_home_role()
userdomain.if:userdom_manage_home_role()
userdomain.if:userdom_manage_tmp_role()
userdomain.if:userdom_manage_tmpfs_role()

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/system/userdomain.if | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2ae61442..bb507459 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -157,7 +157,7 @@ template(`userdom_base_user_template',`
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	The user role
 ##	</summary>
@@ -228,7 +228,7 @@ interface(`userdom_ro_home_role',`
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	The user role
 ##	</summary>
@@ -300,7 +300,7 @@ interface(`userdom_manage_home_role',`
 ## <summary>
 ##	Manage user temporary files
 ## </summary>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
@@ -363,7 +363,7 @@ interface(`userdom_exec_user_tmp_files',`
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
-- 
2.13.6

[refpolicy] [PATCH 3/8] Move the use of var_log_t from authlogin.fc to logging.fc

[James Carter]

The type var_log_t is actually declared in logging.te.

Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/system/authlogin.fc | 2 --
 policy/modules/system/logging.fc   | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index a0c4d1c9..e22945cd 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -36,10 +36,8 @@ ifdef(`distro_suse', `
 /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 
 /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
-/var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/lastlog	--	gen_context(system_u:object_r:lastlog_t,s0)
-/var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/tallylog	--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b8df5fe7..c579c2d3 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -51,6 +51,8 @@ ifdef(`distro_suse', `
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
+/var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
+/var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-- 
2.13.6

[refpolicy] [PATCH 4/8] Move the use of initrc_var_run_t from files.fc to init.fc

[James Carter]

The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.

Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/kernel/files.fc | 5 -----
 policy/modules/system/init.fc  | 2 ++
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 5223af27..c3496c21 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -270,8 +270,3 @@ ifndef(`distro_redhat',`
 /var/tmp/systemd-private-[^/]+/tmp	-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /var/tmp/systemd-private-[^/]+/tmp/.*	<<none>>
 /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
-
-ifdef(`distro_debian',`
-/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 548a8631..71d2ef21 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -68,6 +68,8 @@ ifdef(`distro_redhat',`
 ifdef(`distro_debian',`
 /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /etc/network/if-pre-up\.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/network/if-up\.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/network/if-down\.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
-- 
2.13.6

[refpolicy] [PATCH 5/8] Move use of systemd_unit_t from systemd.fc to init.fc

[James Carter]

The type systemd_unit_t is actually declared in init.te.

Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/system/init.fc    | 1 +
 policy/modules/system/systemd.fc | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 71d2ef21..11a6ce93 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -34,6 +34,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
+/run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 183e0939..f8812453 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -49,7 +49,6 @@
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
-/run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
-- 
2.13.6

[refpolicy] [PATCH 6/8] Move use of user_devpts_t from terminal.fc to userdomain.fc

[James Carter]

The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.

Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/kernel/terminal.fc   | 1 -
 policy/modules/system/userdomain.fc | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 51199ac4..34175f75 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -24,7 +24,6 @@
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 
 /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-/dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
 # if /dev/ptmx is a symlink to /dev/pts/ptmx then we need to have /dev/pts/ptmx
 # relabelled before sshd etc are ready to accept connections
 /dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 6c813b45..70b83058 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -10,3 +10,5 @@ HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 # new genhomedircon required for these patterns
 /run/user/%{USERID}	-d	gen_context(system_u:object_r:user_runtime_t,s0)
 /run/user/%{USERID}/.+	<<none>>
+
+/dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
-- 
2.13.6

[refpolicy] [PATCH 7/8] Remove undeclared identifiers from interfaces

[James Carter]

These interfaces are not being called in the policy.

corenetwork.if.in:corenet_sctp_bind_generic_port(),
  corenet_dontaudit_sctp_bind_generic_port(), and
  corenet_sctp_connect_generic_port()
  Removed references to undeclared type ephemeral_port_t.

corenetwork.if.in:corenet_sctp_recvfrom_unlabeled()
  Removed references to undeclared type attribute corenet_unlabled_type.

devices.if:dev_read_printk()
  Removed references to undeclared type printk_device_t and marked
  interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/kernel/corenetwork.if.in | 18 ++++++------------
 policy/modules/kernel/devices.if        |  8 ++------
 2 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 37aeb06d..13513500 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1519,11 +1519,11 @@ interface(`corenet_udp_send_all_ports',`
 #
 interface(`corenet_sctp_bind_generic_port',`
 	gen_require(`
-		type port_t, unreserved_port_t, ephemeral_port_t;
+		type port_t, unreserved_port_t;
 		attribute defined_port_type;
 	')
 
-	allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+	allow $1 { port_t unreserved_port_t }:sctp_socket name_bind;
 	dontaudit $1 defined_port_type:sctp_socket name_bind;
 ')
 
@@ -1597,10 +1597,10 @@ interface(`corenet_udp_sendrecv_all_ports',`
 #
 interface(`corenet_dontaudit_sctp_bind_generic_port',`
 	gen_require(`
-		type port_t, unreserved_port_t, ephemeral_port_t;
+		type port_t, unreserved_port_t;
 	')
 
-	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+	dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind;
 ')
 
 ########################################
@@ -1671,10 +1671,10 @@ interface(`corenet_udp_bind_all_ports',`
 #
 interface(`corenet_sctp_connect_generic_port',`
 	gen_require(`
-		type port_t, unreserved_port_t,ephemeral_port_t;
+		type port_t, unreserved_port_t;
 	')
 
-	allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
+	allow $1 { port_t unreserved_port_t }:sctp_socket name_connect;
 ')
 
 ########################################
@@ -3372,13 +3372,7 @@ interface(`corenet_relabelto_all_server_packets',`
 ## </param>
 #
 interface(`corenet_sctp_recvfrom_unlabeled',`
-	gen_require(`
-		attribute corenet_unlabeled_type;
-	')
-
 	kernel_recvfrom_unlabeled_peer($1)
-
-	typeattribute $1 corenet_unlabeled_type;
 	kernel_sendrecv_unlabeled_association($1)
 ')
 
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c9071df8..be1a1d4b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3374,18 +3374,14 @@ interface(`dev_rw_printer',`
 ## <summary>
 ##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
 ## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_read_printk',`
-	gen_require(`
-		type device_t, printk_device_t;
-	')
-
-	read_chr_files_pattern($1, device_t, printk_device_t)
+	refpolicywarn(`$0() has been deprecated.')
 ')
 
 ########################################
-- 
2.13.6

[refpolicy] [PATCH 8/8] Remove undeclared identifiers from xserver interface

[James Carter]

The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/services/xserver.if | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index b60957fb..e0d57dc7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -851,19 +851,14 @@ interface(`xserver_setsched_xdm',`
 ##	Create, read, write, and delete
 ##	xdm_spool files.
 ## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`xserver_manage_xdm_spool_files',`
-	gen_require(`
-		type xdm_spool_t;
-	')
-
-	files_search_spool($1)
-	manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+	refpolicywarn(`$0() has been deprecated.')
 ')
 
 ########################################
-- 
2.13.6

[refpolicy] [PATCH 0/8] Fixes issues identified by spt_lint.lua to non-contrib

[Chris PeBenito]

On 04/11/2018 02:55 PM, James Carter via refpolicy wrote:
> The first seven patches cause no change in the final kernel policy, but the
> last one does.
> 
> Explanations for some of the patches.
> 
> Patch 2:
> spt_lint.lua looks for calls that have too many or too few arguments and it
> parses the interface XML header looking for optional and unused parameters,
> so by marking parameters that are unused as unused it will not falsely
> report a problem.
> 
> Patches 3-6:
> These patches move file contexts to the module that actually declares
> the type being used in the context. Patches 4 and 6 remove dependencies
> from the base module on the init module in case of patch 4 and on
> the userdomain module in the case of patch 6. Patches 3 and 5 remove
> inter-module dependencies.
> 
> Patch 7:
> This patch fixes interfaces that are not used in the policy. It causes
> no change in the final policy.
> 
> Patch 8:
> This patch changes the final kernel policy because the interface had
> an undelcared type and the call to it was causing an optional block
> with another call in it to be removed, but now that other call will
> show up in the policy.

Merged.


> James Carter (8):
>    Removed unnecessary semicolons
>    Mark unused parameters as unused
>    Move the use of var_log_t from authlogin.fc to logging.fc
>    Move the use of initrc_var_run_t from files.fc to init.fc
>    Move use of systemd_unit_t from systemd.fc to init.fc
>    Move use of user_devpts_t from terminal.fc to userdomain.fc
>    Remove undeclared identifiers from interfaces
>    Remove undeclared identifiers from xserver interface
> 
>   policy/modules/kernel/corenetwork.if.in | 18 ++++++------------
>   policy/modules/kernel/devices.if        |  8 ++------
>   policy/modules/kernel/files.fc          |  5 -----
>   policy/modules/kernel/terminal.fc       |  1 -
>   policy/modules/services/xserver.if      |  9 ++-------
>   policy/modules/system/authlogin.fc      |  2 --
>   policy/modules/system/init.fc           |  3 +++
>   policy/modules/system/ipsec.te          | 24 ++++++++++++------------
>   policy/modules/system/logging.fc        |  2 ++
>   policy/modules/system/logging.te        |  2 +-
>   policy/modules/system/systemd.fc        |  1 -
>   policy/modules/system/systemd.te        |  8 ++++----
>   policy/modules/system/userdomain.fc     |  2 ++
>   policy/modules/system/userdomain.if     |  8 ++++----
>   14 files changed, 38 insertions(+), 55 deletions(-)
> 


-- 
Chris PeBenito