selinux-policy/policy_contrib-rawhide-roleattribute.patch

855 lines
23 KiB
Diff
Raw Normal View History

2012-06-07 09:58:33 +00:00
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 01:38:59 2012 +0200
roleattribute patch
diff --git a/livecd.if b/livecd.if
index bfbf676..fb7869e 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,12 +38,19 @@ interface(`livecd_run',`
gen_require(`
type livecd_t;
type livecd_exec_t;
- attribute_role livecd_roles;
+ #attribute_role livecd_roles;
')
livecd_domtrans($1)
- roleattribute $2 livecd_roles;
+ #roleattribute $2 livecd_roles;
+ role $2 types livecd_t;
role_transition $2 livecd_exec_t system_r;
+
+ seutil_run_setfiles_mac(livecd_t, system_r)
+
+ optional_policy(`
+ mount_run(livecd_t, $2)
+ ')
')
########################################
diff --git a/livecd.te b/livecd.te
index 65efdae..7a944b5 100644
--- a/livecd.te
+++ b/livecd.te
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
# Declarations
#
-attribute_role livecd_roles;
-roleattribute system_r livecd_roles;
+#attribute_role livecd_roles;
+#roleattribute system_r livecd_roles;
type livecd_t;
type livecd_exec_t;
application_domain(livecd_t, livecd_exec_t)
-role livecd_roles types livecd_t;
+role system_r types livecd_t;
+#role livecd_roles types livecd_t;
type livecd_tmp_t;
files_tmp_file(livecd_tmp_t)
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
sysnet_filetrans_named_content(livecd_t)
-optional_policy(`
- mount_run(livecd_t, livecd_roles)
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
-')
+#optional_policy(`
+# mount_run(livecd_t, livecd_roles)
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
+#')
optional_policy(`
ssh_filetrans_admin_home_content(livecd_t)
diff --git a/mozilla.if b/mozilla.if
index 30b0241..30bfefb 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
interface(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
- attribute_role mozilla_roles;
+ #attribute_role mozilla_roles;
')
- roleattribute $1 mozilla_roles;
+ #roleattribute $1 mozilla_roles;
+ role $1 types mozilla_t;
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
# Unrestricted inheritance from the caller.
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ #should be remove then with adding of roleattribute
+ mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
userdom_manage_tmp_role($1, mozilla_t)
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
mozilla_filetrans_home_content($2)
- mozilla_dbus_chat($2)
')
########################################
diff --git a/mozilla.te b/mozilla.te
index 7bf56bf..56700a4 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
## </desc>
gen_tunable(mozilla_plugin_enable_homedirs, false)
-attribute_role mozilla_roles;
+#attribute_role mozilla_roles;
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
-role mozilla_roles types mozilla_t;
+#role mozilla_roles types mozilla_t;
+role system_r types mozilla_t;
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-role mozilla_roles types mozilla_plugin_t;
+#role mozilla_roles types mozilla_plugin_t;
+role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
userdom_user_tmp_content(mozilla_plugin_tmp_t)
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
type mozilla_plugin_config_t;
type mozilla_plugin_config_exec_t;
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
-role mozilla_roles types mozilla_plugin_config_t;
+#role mozilla_roles types mozilla_plugin_config_t;
+role system_r types mozilla_plugin_config_t;
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_inherited_user_ptys(mozilla_t)
-mozilla_run_plugin(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -298,7 +301,8 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_role(mozilla_roles, mozilla_t)
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
@@ -476,9 +480,9 @@ optional_policy(`
java_exec(mozilla_plugin_t)
')
-optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-')
+#optional_policy(`
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
+#')
optional_policy(`
mplayer_exec(mozilla_plugin_t)
diff --git a/ncftool.if b/ncftool.if
index 1520b6c..3a4455f 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
- attribute_role ncftool_roles;
+ type ncftool_t;
+ #attribute_role ncftool_roles;
')
- ncftool_domtrans($1)
- roleattribute $2 ncftool_roles;
+ #ncftool_domtrans($1)
+ #roleattribute $2 ncftool_roles;
+
+ role $1 types ncftool_t;
+
+ ncftool_domtrans($2)
+
+ ps_process_pattern($2, ncftool_t)
+ allow $2 ncftool_t:process signal;
')
diff --git a/ncftool.te b/ncftool.te
index 91ab36d..8c48c33 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
# Declarations
#
-attribute_role ncftool_roles;
-roleattribute system_r ncftool_roles;
+#attribute_role ncftool_roles;
+#roleattribute system_r ncftool_roles;
type ncftool_t;
type ncftool_exec_t;
application_domain(ncftool_t, ncftool_exec_t)
domain_obj_id_change_exemption(ncftool_t)
domain_system_change_exemption(ncftool_t)
-role ncftool_roles types ncftool_t;
+#role ncftool_roles types ncftool_t;
+role system_r types ncftool_t;
########################################
#
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
miscfiles_read_localization(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
userdom_use_user_terminals(ncftool_t)
userdom_read_user_tmp_files(ncftool_t)
-optional_policy(`
- brctl_run(ncftool_t, ncftool_roles)
-')
+#optional_policy(`
+# brctl_run(ncftool_t, ncftool_roles)
+#')
optional_policy(`
consoletype_exec(ncftool_t)
@@ -85,9 +88,12 @@ optional_policy(`
optional_policy(`
modutils_read_module_config(ncftool_t)
- modutils_run_insmod(ncftool_t, ncftool_roles)
+ modutils_domtrans_insmod(ncftool_t)
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
+
')
optional_policy(`
- netutils_run(ncftool_t, ncftool_roles)
+ netutils_domtrans(ncftool_t)
+ #netutils_run(ncftool_t, ncftool_roles)
')
diff --git a/ppp.if b/ppp.if
index c174b05..a4cad0b 100644
--- a/ppp.if
+++ b/ppp.if
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
#
interface(`ppp_run',`
gen_require(`
- attribute_role pppd_roles;
+ #attribute_role pppd_roles;
+ type pppd_t;
')
- ppp_domtrans($1)
- roleattribute $2 pppd_roles;
+ #ppp_domtrans($1)
+ #roleattribute $2 pppd_roles;
+
+ role $2 types pppd_t;
+
+ tunable_policy(`pppd_for_user',`
+ ppp_domtrans($1)
+ ')
')
########################################
diff --git a/ppp.te b/ppp.te
index 17e10a2..92cec2b 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
## </desc>
gen_tunable(pppd_for_user, false)
-attribute_role pppd_roles;
+#attribute_role pppd_roles;
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
-role pppd_roles types pppd_t;
+#role pppd_roles types pppd_t;
+role system_r types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
-role pppd_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
-auth_run_chk_passwd(pppd_t,pppd_roles)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
ppp_exec(pppd_t)
optional_policy(`
- ddclient_run(pppd_t, pppd_roles)
+ #ddclient_run(pppd_t, pppd_roles)
+ ddclient_domtrans(pppd_t)
')
optional_policy(`
diff --git a/usernetctl.if b/usernetctl.if
index d45c715..2d4f1ba 100644
--- a/usernetctl.if
+++ b/usernetctl.if
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
#
interface(`usernetctl_run',`
gen_require(`
- attribute_role usernetctl_roles;
+ type usernetctl_t;
+ #attribute_role usernetctl_roles;
')
- usernetctl_domtrans($1)
- roleattribute $2 usernetctl_roles;
+ #usernetctl_domtrans($1)
+ #roleattribute $2 usernetctl_roles;
+
+ sysnet_run_ifconfig(usernetctl_t, $2)
+ sysnet_run_dhcpc(usernetctl_t, $2)
+
+ optional_policy(`
+ iptables_run(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ ppp_run(usernetctl_t, $2)
+ ')
+
')
diff --git a/usernetctl.te b/usernetctl.te
index 8604c1c..35b12a6 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
# Declarations
#
-attribute_role usernetctl_roles;
+#attribute_role usernetctl_roles;
type usernetctl_t;
type usernetctl_exec_t;
application_domain(usernetctl_t, usernetctl_exec_t)
domain_interactive_fd(usernetctl_t)
-role usernetctl_roles types usernetctl_t;
+#role usernetctl_roles types usernetctl_t;
+role system_r types usernetctl_t;
########################################
#
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
userdom_use_inherited_user_terminals(usernetctl_t)
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
optional_policy(`
- consoletype_run(usernetctl_t, usernetctl_roles)
+ #consoletype_run(usernetctl_t, usernetctl_roles)
+ consoletype_exec(usernetctl_t)
')
optional_policy(`
hostname_exec(usernetctl_t)
')
-optional_policy(`
- iptables_run(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+# iptables_run(usernetctl_t, usernetctl_roles)
+#')
-optional_policy(`
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
+#')
optional_policy(`
nis_use_ypbind(usernetctl_t)
')
-optional_policy(`
- ppp_run(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+# ppp_run(usernetctl_t, usernetctl_roles)
+#')
diff --git a/vpn.if b/vpn.if
index 7b93e07..a4e2f60 100644
--- a/vpn.if
+++ b/vpn.if
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
#
interface(`vpn_run',`
gen_require(`
- attribute_role vpnc_roles;
+ #attribute_role vpnc_roles;
+ type vpnc_t;
')
+ #vpn_domtrans($1)
+ #roleattribute $2 vpnc_roles;
+
vpn_domtrans($1)
- roleattribute $2 vpnc_roles;
+ role $2 types vpnc_t;
+ sysnet_run_ifconfig(vpnc_t, $2)
')
########################################
diff --git a/vpn.te b/vpn.te
index 99fd457..d2585bb 100644
--- a/vpn.te
+++ b/vpn.te
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
# Declarations
#
-attribute_role vpnc_roles;
-roleattribute system_r vpnc_roles;
+#attribute_role vpnc_roles;
+#roleattribute system_r vpnc_roles;
type vpnc_t;
type vpnc_exec_t;
init_system_domain(vpnc_t, vpnc_exec_t)
application_domain(vpnc_t, vpnc_exec_t)
-role vpnc_roles types vpnc_t;
+#role vpnc_roles types vpnc_t;
+role system_r types vpnc_t;
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 02:33:40 2012 +0200
Fix ncftool.if
diff --git a/ncftool.if b/ncftool.if
index 3a4455f..59f096b 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
#ncftool_domtrans($1)
#roleattribute $2 ncftool_roles;
- role $1 types ncftool_t;
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
- ncftool_domtrans($2)
+ optional_policy(`
+ brctl_run(ncftool_t, $2)
+ ')
- ps_process_pattern($2, ncftool_t)
- allow $2 ncftool_t:process signal;
')
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:47:57 2012 +0200
roleattriburte temp fixes for portage and dpkg
diff --git a/dpkg.if b/dpkg.if
index 4d32b42..d945bd0 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
#
interface(`dpkg_run',`
gen_require(`
- attribute_role dpkg_roles;
+ #attribute_role dpkg_roles;
+ type dpkg_t, dpkg_script_t
')
+ #dpkg_domtrans($1)
+ #roleattribute $2 dpkg_roles;
+
dpkg_domtrans($1)
- roleattribute $2 dpkg_roles;
+ role $2 types dpkg_t;
+ role $2 types dpkg_script_t;
+ seutil_run_loadpolicy(dpkg_script_t, $2)
+
')
########################################
diff --git a/dpkg.te b/dpkg.te
index a1b8f92..9ac1b80 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
# Declarations
#
-attribute_role dpkg_roles;
-roleattribute system_r dpkg_roles;
+#attribute_role dpkg_roles;
+#roleattribute system_r dpkg_roles;
type dpkg_t;
type dpkg_exec_t;
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
-role dpkg_roles types dpkg_t;
+#role dpkg_roles types dpkg_t;
+role system_r types dpkg_t;
# lockfile
type dpkg_lock_t;
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
-role dpkg_roles types dpkg_script_t;
+#role dpkg_roles types dpkg_script_t;
+role system_r types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)
+#libs_exec_ld_so(dpkg_t)
+#libs_exec_lib_files(dpkg_t)
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
-libs_run_ldconfig(dpkg_t, dpkg_roles)
+libs_domtrans_ldconfig(dpkg_t)
logging_send_syslog_msg(dpkg_t)
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
+#modutils_run_depmod(dpkg_t, dpkg_roles)
+#modutils_run_insmod(dpkg_t, dpkg_roles)
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
mta_send_mail(dpkg_t)
')
+
+
optional_policy(`
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
- usermanage_run_useradd(dpkg_t, dpkg_roles)
+ modutils_domtrans_depmod(dpkg_t)
+ modutils_domtrans_insmod(dpkg_t)
+ seutil_domtrans_loadpolicy(dpkg_t)
+ seutil_domtrans_setfiles(dpkg_t)
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
')
+#optional_policy(`
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
+#')
+
########################################
#
# dpkg-script Local policy
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_script_t)
@@ -319,9 +335,9 @@ optional_policy(`
apt_use_fds(dpkg_script_t)
')
-optional_policy(`
- bootloader_run(dpkg_script_t, dpkg_roles)
-')
+#optional_policy(`
+# bootloader_run(dpkg_script_t, dpkg_roles)
+#')
optional_policy(`
mta_send_mail(dpkg_script_t)
@@ -335,7 +351,7 @@ optional_policy(`
unconfined_domain(dpkg_script_t)
')
-optional_policy(`
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
-')
+#optional_policy(`
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
+#')
diff --git a/portage.if b/portage.if
index b4bb48a..e5e8f12 100644
--- a/portage.if
+++ b/portage.if
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- attribute_role portage_roles;
+ type portage_t, portage_fetch_t, portage_sandbox_t;
+ #attribute_role portage_roles;
')
- portage_domtrans($1)
- roleattribute $2 portage_roles;
+ #portage_domtrans($1)
+ #roleattribute $2 portage_roles;
+ portage_domtrans($1)
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
+
')
########################################
diff --git a/portage.te b/portage.te
index 22bdf7d..f726e1d 100644
--- a/portage.te
+++ b/portage.te
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
## </desc>
gen_tunable(portage_use_nfs, false)
-attribute_role portage_roles;
+#attribute_role portage_roles;
type gcc_config_t;
type gcc_config_exec_t;
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
-role portage_roles types portage_t;
+#role portage_roles types portage_t;
+role system_r types portage_t;
# portage compile sandbox domain
type portage_sandbox_t;
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
-role portage_roles types portage_sandbox_t;
+#role portage_roles types portage_sandbox_t;
+role system_r types portage_sandbox_t;
# portage package fetching domain
type portage_fetch_t;
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
application_domain(portage_fetch_t, portage_fetch_exec_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
-role portage_roles types portage_fetch_t;
+#role portage_roles types portage_fetch_t;
+role system_r types portage_fetch_t;
type portage_devpts_t;
term_pty(portage_devpts_t)
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
init_dontaudit_read_script_status_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
-libs_run_ldconfig(gcc_config_t, portage_roles)
+#libs_run_ldconfig(gcc_config_t, portage_roles)
+libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
init_exec(portage_t)
# run setfiles -r
-seutil_run_setfiles(portage_t, portage_roles)
+#seutil_run_setfiles(portage_t, portage_roles)
# run semodule
-seutil_run_semanage(portage_t, portage_roles)
+#seutil_run_semanage(portage_t, portage_roles)
-portage_run_gcc_config(portage_t, portage_roles)
+#portage_run_gcc_config(portage_t, portage_roles)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
-optional_policy(`
- bootloader_run(portage_t, portage_roles)
-')
+#optional_policy(`
+# bootloader_run(portage_t, portage_roles)
+#')
optional_policy(`
cron_system_entry(portage_t, portage_exec_t)
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
')
-optional_policy(`
- modutils_run_depmod(portage_t, portage_roles)
- modutils_run_update_mods(portage_t, portage_roles)
+#optional_policy(`
+# modutils_run_depmod(portage_t, portage_roles)
+# modutils_run_update_mods(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
-optional_policy(`
- usermanage_run_groupadd(portage_t, portage_roles)
- usermanage_run_useradd(portage_t, portage_roles)
-')
+#optional_policy(`
+# usermanage_run_groupadd(portage_t, portage_roles)
+# usermanage_run_useradd(portage_t, portage_roles)
+#')
+
+seutil_domtrans_setfiles(portage_t)
+seutil_domtrans_semanage(portage_t)
+bootloader_domtrans(portage_t)
+modutils_domtrans_depmod(portage_t)
+modutils_domtrans_update_mods(portage_t)
+usermanage_domtrans_groupadd(portage_t)
+usermanage_domtrans_useradd(portage_t)
ifdef(`TODO',`
# seems to work ok without these
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:52:09 2012 +0200
Fix typo
diff --git a/portage.if b/portage.if
index e5e8f12..7098ded 100644
--- a/portage.if
+++ b/portage.if
@@ -50,7 +50,7 @@ interface(`portage_run',`
#portage_domtrans($1)
#roleattribute $2 portage_roles;
portage_domtrans($1)
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
')
commit cf999ca29d2a4401c481e28c169e10d676d73526
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:59:22 2012 +0200
One more typo
diff --git a/dpkg.if b/dpkg.if
index d945bd0..78736d8 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
interface(`dpkg_run',`
gen_require(`
#attribute_role dpkg_roles;
- type dpkg_t, dpkg_script_t
+ type dpkg_t, dpkg_script_t;
')
#dpkg_domtrans($1)