Changes to the cdrecord policy module

Use role attributes
Module clean up

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

cdrecord.fc

@@ -1,6 +1,3 @@
-#
-# /usr
-#
 /usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
 /usr/bin/growisofs	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
-/usr/bin/wodim		--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/wodim	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)

cdrecord.if

@@ -1,8 +1,8 @@
-## <summary>Policy for cdrecord</summary>
+## <summary>Record audio or data Compact Discs from a master.</summary>
 
 ########################################
 ## <summary>
-##	Role access for cdrecord
+##	Role access for cdrecord.
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -17,17 +17,16 @@
 #
 interface(`cdrecord_role',`
 	gen_require(`
+		attribute_role cdrecord_roles;
 		type cdrecord_t, cdrecord_exec_t;
 	')
 
-	role $1 types cdrecord_t;
+	roleattribute $1 cdrecord_roles;
 
-	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
 
-	allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
+	allow cdrecord_t $2:unix_stream_socket create_socket_perms;
 
-	# allow ps to show cdrecord and allow the user to kill it 
+	allow $2 cdrecord_t:process { ptrace signal_perms };
 	ps_process_pattern($2, cdrecord_t)
-	allow $2 cdrecord_t:process signal;
 ')

cdrecord.te

@@ -1,24 +1,28 @@
-policy_module(cdrecord, 2.5.0)
+policy_module(cdrecord, 2.5.1)
 
 ########################################
 #
 # Declarations
 #
 
 ## <desc>
-## <p>
-## Allow cdrecord to read various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
+##	<p>
+##	Determine whether cdrecord can read
+##	various content. nfs, samba, removable
+##	devices, user temp and untrusted
+##	content files
+##	</p>
 ## </desc>
 gen_tunable(cdrecord_read_content, false)
 
+attribute_role cdrecord_roles;
+
 type cdrecord_t;
 type cdrecord_exec_t;
 typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
 typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
 userdom_user_application_domain(cdrecord_t, cdrecord_exec_t)
+role cdrecord_roles types cdrecord_t;
 
 ########################################
 #
@@ -27,13 +31,10 @@ userdom_user_application_domain(cdrecord_t, cdrecord_exec_t)
 
 allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
-allow cdrecord_t self:unix_dgram_socket create_socket_perms;
-allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+allow cdrecord_t self:unix_stream_socket { accept listen };
 
-# growisofs uses mkisofs
 corecmd_exec_bin(cdrecord_t)
 
-# allow searching for cdrom-drive
 dev_list_all_dev_nodes(cdrecord_t)
 dev_read_sysfs(cdrecord_t)
 
@@ -45,7 +46,6 @@ files_read_etc_files(cdrecord_t)
 term_use_controlling_term(cdrecord_t)
 term_list_ptys(cdrecord_t)
 
-# allow cdrecord to write the CD
 storage_raw_read_removable_device(cdrecord_t)
 storage_raw_write_removable_device(cdrecord_t)
 storage_write_scsi_generic(cdrecord_t)
@@ -54,24 +54,21 @@ logging_send_syslog_msg(cdrecord_t)
 
 miscfiles_read_localization(cdrecord_t)
 
-# write to the user domain tty.
 userdom_use_user_terminals(cdrecord_t)
 userdom_read_user_home_content_files(cdrecord_t)
 
-# Handle nfs home dirs
 tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
 	fs_list_auto_mountpoints(cdrecord_t)
 	files_list_home(cdrecord_t)
 	fs_read_nfs_files(cdrecord_t)
 	fs_read_nfs_symlinks(cdrecord_t)
-
 ',`
 	files_dontaudit_list_home(cdrecord_t)
 	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
 	fs_dontaudit_read_nfs_files(cdrecord_t)
 	fs_dontaudit_list_nfs(cdrecord_t)
 ')
-# Handle samba home dirs
+
 tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
 	fs_list_auto_mountpoints(cdrecord_t)
 	files_list_home(cdrecord_t)
@@ -84,7 +81,6 @@ tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
 	fs_dontaudit_list_cifs(cdrecord_t)
 ')
 
-# Handle removable media, /tmp, and /home
 tunable_policy(`cdrecord_read_content',`
 	userdom_list_user_tmp(cdrecord_t)
 	userdom_read_user_tmp_files(cdrecord_t)