more setcurrent stuff

refpolicy/policy/modules/system/domain.if

@@ -79,6 +79,18 @@ interface(`domain_wide_inherit_fd',`
 	typeattribute $1 privfd;
 ')
 
+########################################
+#
+# domain_dyntrans_type(domain)
+#
+interface(`domain_dyntrans_type',`
+	gen_require(`
+		attribute set_curr_context;
+	')
+
+	typeattribute $1 set_curr_context;
+')
+
 ########################################
 ## <interface name="domain_subj_id_change_exempt">
 ##	<description>
@@ -461,7 +473,7 @@ interface(`domain_read_all_entry_files',`
 #
 # domain_trans(source_domain,entrypoint_file,target_domain)
 #
-interface(`domain_trans',`
+define(`domain_trans',`
 	gen_require(`
 		class file rx_file_perms;
 		process { transition noatsecure siginh rlimitinh };
@@ -476,7 +488,7 @@ interface(`domain_trans',`
 #
 # domain_auto_trans(source_domain,entrypoint_file,target_domain)
 #
-interface(`domain_auto_trans',`
+define(`domain_auto_trans',`
 	domain_trans($1,$2,$3)
 	type_transition $1 $2:process $3;
 ')

refpolicy/policy/modules/system/domain.te

@@ -10,6 +10,10 @@ attribute entry_type;
 # widely-inheritable file descriptors
 attribute privfd;
 
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
 # constraint related attributes
 attribute can_change_process_identity;
 attribute can_change_process_role;
@@ -21,7 +25,7 @@ neverallow domain ~domain:process { transition dyntransition };
 # enabling setcurrent breaks process tranquility.  If you do not
 # know what this means or do not understand the implications of a
 # dynamic transition, you should not be using it!!!
-neverallow * *:process setcurrent;
+neverallow { domain -set_curr_context } self:process setcurrent;
 
 # Files with domain types are currently only proc files
 neverallow * domain:dir ~r_dir_perms;