send user role to per userdomain templates. update templated interfaces

to have the prefix be the first argument

refpolicy/policy/modules/admin/su.if

@@ -20,6 +20,12 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
 #
 template(`su_per_userdomain_template',`
 
@@ -30,9 +36,9 @@ template(`su_per_userdomain_template',`
 	domain_subj_id_change_exempt($1_su_t)
 	domain_obj_id_change_exempt($1_su_t)
 	domain_wide_inherit_fd($1_su_t)
-	role $1_r types $1_su_t;
+	role $3 types $1_su_t;
 
-	allow $1_t $1_su_t:process signal;
+	allow $2 $1_su_t:process signal;
 
 	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
@@ -40,18 +46,18 @@ template(`su_per_userdomain_template',`
 	allow $1_su_t self:fifo_file rw_file_perms;
 
 	# Transition from the user domain to this domain.
-	domain_auto_trans($1_t, su_exec_t, $1_su_t)
+	domain_auto_trans($2, su_exec_t, $1_su_t)
-	allow $1_t $1_su_t:fd use;
+	allow $2 $1_su_t:fd use;
-	allow $1_su_t $1_t:fd use;
+	allow $1_su_t $2:fd use;
-	allow $1_su_t $1_t:fifo_file rw_file_perms;
+	allow $1_su_t $2:fifo_file rw_file_perms;
-	allow $1_su_t $1_t:process sigchld;
+	allow $1_su_t $2:process sigchld;
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_su_t,$1_t)
+	corecmd_shell_domtrans($1_su_t,$2)
-	allow $1_t $1_su_t:fd use;
+	allow $2 $1_su_t:fd use;
-	allow $1_su_t $1_t:fd use;
+	allow $1_su_t $2:fd use;
-	allow $1_su_t $1_t:fifo_file rw_file_perms;
+	allow $1_su_t $2:fifo_file rw_file_perms;
-	allow $1_su_t $1_t:process sigchld;
+	allow $1_su_t $2:process sigchld;
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctl($1_su_t)
@@ -97,7 +103,7 @@ template(`su_per_userdomain_template',`
 	seutil_read_config($1_su_t)
 	seutil_read_default_contexts($1_su_t)
 
-	userdom_use_user_terminals($1_su_t,$1)
+	userdom_use_user_terminals($1,$1_su_t)
 
 	if(secure_mode)
 	{

refpolicy/policy/modules/admin/sudo.if

@@ -20,6 +20,12 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
 #
 template(`sudo_per_userdomain_template',`
 
@@ -36,7 +42,7 @@ template(`sudo_per_userdomain_template',`
 	domain_role_change_exempt($1_sudo_t)
 	domain_obj_id_change_exempt($1_sudo_t)
 
-	role $1_r types $1_sudo_t;
+	role $3 types $1_sudo_t;
 
 	##############################
 	#
@@ -59,18 +65,18 @@ template(`sudo_per_userdomain_template',`
 	allow $1_sudo_t self:msg { send receive };
 
 	# Enter this derived domain from the user domain
-	domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+	domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
-	allow $1_sudo_t $1_t:fd use;
+	allow $1_sudo_t $2:fd use;
-	allow $1_t $1_sudo_t:fd use;
+	allow $2 $1_sudo_t:fd use;
-	allow $1_t $1_sudo_t:fifo_file rw_file_perms;
+	allow $2 $1_sudo_t:fifo_file rw_file_perms;
-	allow $1_t $1_sudo_t:process sigchld;
+	allow $2 $1_sudo_t:process sigchld;
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_sudo_t,$1_t)
+	corecmd_shell_domtrans($1_sudo_t,$2)
-	allow $1_t $1_sudo_t:fd use;
+	allow $2 $1_sudo_t:fd use;
-	allow $1_sudo_t $1_t:fd use;
+	allow $1_sudo_t $2:fd use;
-	allow $1_sudo_t $1_t:fifo_file rw_file_perms;
+	allow $1_sudo_t $2:fifo_file rw_file_perms;
-	allow $1_sudo_t $1_t:process sigchld;
+	allow $1_sudo_t $2:process sigchld;
 
 	kernel_read_kernel_sysctl($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
@@ -121,10 +127,10 @@ template(`sudo_per_userdomain_template',`
 	seutil_read_config($1_sudo_t)
 	seutil_read_default_contexts($1_sudo_t)
 
-	userdom_manage_user_home_subdir_files($1_sudo_t,$1)
+	userdom_manage_user_home_subdir_files($1,$1_sudo_t)
-	userdom_manage_user_home_subdir_symlinks($1_sudo_t,$1)
+	userdom_manage_user_home_subdir_symlinks($1,$1_sudo_t)
-	userdom_manage_user_tmp_files($1_sudo_t,$1)
+	userdom_manage_user_tmp_files($1,$1_sudo_t)
-	userdom_manage_user_tmp_symlinks($1_sudo_t,$1)
+	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
 	userdom_use_unpriv_users_fd($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_all_users_home($1_sudo_t)

refpolicy/policy/modules/apps/gpg.if

@@ -21,10 +21,15 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`gpg_per_userdomain_template',`
-	gen_require(`$0'_depend)
-
 	########################################
 	#
 	# Declarations
@@ -33,12 +38,12 @@ template(`gpg_per_userdomain_template',`
 	type $1_gpg_t;
 	domain_type($1_gpg_t)
 	domain_entry_file($1_gpg_t,gpg_exec_t)
-	role $1_r types $1_gpg_t;
+	role $3 types $1_gpg_t;
 
 	type $1_gpg_agent_t;
 	domain_type($1_gpg_agent_t)
 	domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
-	role $1_r types $1_gpg_agent_t;
+	role $3 types $1_gpg_agent_t;
 
 	type $1_gpg_agent_tmp_t;
 	files_tmp_file($1_gpg_agent_tmp_t)
@@ -48,11 +53,11 @@ template(`gpg_per_userdomain_template',`
 
 	type $1_gpg_helper_t;
 	domain_type($1_gpg_helper_t)
-	role $1_r types $1_gpg_helper_t;
+	role $3 types $1_gpg_helper_t;
 
 	type $1_gpg_pinentry_t;
 	domain_type($1_gpg_pinentry_t)
-	role $1_r types $1_gpg_pinentry_t;
+	role $3 types $1_gpg_pinentry_t;
 
 	########################################
 	#
@@ -60,15 +65,15 @@ template(`gpg_per_userdomain_template',`
 	#
 
 	# transition from the userdomain to the derived domain
-	domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)
+	domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
 
-	allow $1_t $1_gpg_t:fd use;
+	allow $2 $1_gpg_t:fd use;
-	allow $1_gpg_t $1_t:fd use;
+	allow $1_gpg_t $2:fd use;
-	allow $1_gpg_t $1_t:fifo_file rw_file_perms;
+	allow $1_gpg_t $2:fifo_file rw_file_perms;
-	allow $1_gpg_t $1_t:process sigchld;
+	allow $1_gpg_t $2:process sigchld;
 
 	allow $1_gpg_t self:capability { ipc_lock setuid };
-	allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+	allow { $2 $1_gpg_t } $1_gpg_t:process signal;
 	# setrlimit is for ulimit -c 0
 	allow $1_gpg_t self:process { setrlimit setcap };
 
@@ -79,8 +84,8 @@ template(`gpg_per_userdomain_template',`
 	allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
 	allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
 
-	allow $1_t $1_gpg_secret_t:file getattr;
+	allow $2 $1_gpg_secret_t:file getattr;
-	allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+	allow $2 $1_gpg_secret_t:dir rw_dir_perms;
 
 	corenet_tcp_sendrecv_all_if($1_gpg_t)
 	corenet_raw_sendrecv_all_if($1_gpg_t)
@@ -115,6 +120,8 @@ template(`gpg_per_userdomain_template',`
 
 	sysnet_read_config($1_gpg_t)
 
+	userdom_use_user_terminals($1,$1_gpg_t)
+
 	# Legacy
 	tunable_policy(`allow_gpg_execstack',`
 		allow $1_gpg_t self:process execmem;
@@ -143,7 +150,6 @@ template(`gpg_per_userdomain_template',`
 
 	ifdef(`TODO',`
 
-	access_terminal($1_gpg_t, $1)
 	ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
 
 	# allow ps to show gpg
@@ -176,8 +182,8 @@ template(`gpg_per_userdomain_template',`
 	# mail interface you will likely need additional permissions.
 
 	# communicate with the user 
-	allow $1_gpg_helper_t $1_t:fd use;
+	allow $1_gpg_helper_t $2:fd use;
-	allow $1_gpg_helper_t $1_t:fifo_file write;
+	allow $1_gpg_helper_t $2:fifo_file write;
 
 	# transition from the gpg domain to the helper domain
 	domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
@@ -254,17 +260,17 @@ template(`gpg_per_userdomain_template',`
 	allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $1_t $1_gpg_agent_t:process { signal sigkill };
+	allow $2 $1_gpg_agent_t:process { signal sigkill };
 
-	allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
+	allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
-	allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
+	allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
-	allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
+	allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
 	files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	corecmd_search_bin($1_gpg_agent_t)
 
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+	domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
 
 	domain_use_wide_inherit_fd($1_gpg_agent_t)
 
@@ -273,6 +279,9 @@ template(`gpg_per_userdomain_template',`
 
 	miscfiles_read_localization($1_gpg_agent_t)
 
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1,$1_gpg_agent_t)
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_gpg_agent_t)
 		fs_manage_nfs_files($1_gpg_agent_t)
@@ -289,9 +298,6 @@ template(`gpg_per_userdomain_template',`
 
 	allow $1_gpg_agent_t xdm_t:fd use;
 
-	# Write to the user domain tty.
-	access_terminal($1_gpg_agent_t, $1)
-
 	# allow ps to show gpg-agent
 	can_ps($1_t, $1_gpg_agent_t)
 

refpolicy/policy/modules/services/cron.if

@@ -20,6 +20,12 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
 #
 template(`cron_per_userdomain_template',`
 
@@ -30,12 +36,12 @@ template(`cron_per_userdomain_template',`
 	type $1_crond_t; # user_crond_domain;
 	domain_type($1_crond_t);
 	corecmd_shell_entry_type($1_crond_t)
-	role $1_r types $1_crond_t;
+	role $3 types $1_crond_t;
 
 	type $1_crontab_t;
 	domain_type($1_crontab_t)
 	domain_entry_file($1_crontab_t,crontab_exec_t)
-	role $1_r types $1_crontab_t;
+	role $3 types $1_crontab_t;
 
 	##############################
 	#
@@ -112,12 +118,12 @@ template(`cron_per_userdomain_template',`
 
 	miscfiles_read_localization($1_crond_t)
 
-	userdom_manage_user_tmp_files($1_crond_t,$1)
+	userdom_manage_user_tmp_files($1,$1_crond_t)
-	userdom_manage_user_tmp_symlinks($1_crond_t,$1)
+	userdom_manage_user_tmp_symlinks($1,$1_crond_t)
-	userdom_manage_user_tmp_pipes($1_crond_t,$1)
+	userdom_manage_user_tmp_pipes($1,$1_crond_t)
-	userdom_manage_user_tmp_sockets($1_crond_t,$1)
+	userdom_manage_user_tmp_sockets($1,$1_crond_t)
 	# Run scripts in user home directory and access shared libs.
-	userdom_exec_user_home_files($1_crond_t,$1)
+	userdom_exec_user_home_files($1,$1_crond_t)
 
 	tunable_policy(`fcron_crond', `
 		allow crond_t $1_cron_spool_t:file create_file_perms;
@@ -157,14 +163,14 @@ template(`cron_per_userdomain_template',`
 	#
 
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
+	domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
-	allow $1_t $1_crontab_t:fd use;
+	allow $2 $1_crontab_t:fd use;
-	allow $1_crontab_t $1_t:fd use;
+	allow $1_crontab_t $2:fd use;
-	allow $1_crontab_t $1_t:fifo_file rw_file_perms;
+	allow $1_crontab_t $2:fifo_file rw_file_perms;
-	allow $1_crontab_t $1_t:process sigchld;
+	allow $1_crontab_t $2:process sigchld;
 
 	# for ^Z
-	allow $1_t $1_crontab_t:process signal;
+	allow $2 $1_crontab_t:process signal;
 
 	# Allow crond to read those crontabs in cron spool.
 	allow crond_t $1_cron_spool_t:file r_file_perms;
@@ -188,6 +194,11 @@ template(`cron_per_userdomain_template',`
 
 	fs_getattr_xattr_fs($1_crontab_t)
 
+	# Run helper programs as the user domain
+	corecmd_bin_domtrans($1_crontab_t,$2)
+	corecmd_sbin_domtrans($1_crontab_t,$2)
+	corecmd_shell_domtrans($1_crontab_t,$2)
+
 	domain_use_wide_inherit_fd($1_crontab_t)
 
 	files_read_etc_files($1_crontab_t)
@@ -202,8 +213,12 @@ template(`cron_per_userdomain_template',`
 
 	seutil_dontaudit_search_config($1_crontab_t)
 
-	userdom_manage_user_tmp_dirs($1_crontab_t,$1)
+	userdom_manage_user_tmp_dirs($1,$1_crontab_t)
-	userdom_manage_user_tmp_files($1_crontab_t,$1)
+	userdom_manage_user_tmp_files($1,$1_crontab_t)
+	# Access terminals.
+	userdom_use_user_terminals($1,$1_crontab_t)
+	# Read user crontabs
+	userdom_read_user_home_files($1,$1_crontab_t)
 
 	tunable_policy(`fcron_crond', `
 		# fcron wants an instant update of a crontab change for the administrator
@@ -212,7 +227,6 @@ template(`cron_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-
 	can_ps($1_t, $1_crontab_t)
 
 	dontaudit $1_crontab_t proc_t:dir search;
@@ -220,19 +234,10 @@ template(`cron_per_userdomain_template',`
 	allow $1_crond_t tmp_t:dir rw_dir_perms;
 	type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
 
-	# Run helper programs as $1_t
-	domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
-
 	# Read user crontabs
 	allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;  
-	allow $1_crontab_t $1_home_t:file r_file_perms;  
 	dontaudit $1_crontab_t $1_home_dir_t:dir write;
 
-	# Access terminals.
-	allow $1_crontab_t devpts_t:dir r_dir_perms;
-	allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms;
-	allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms;
-
 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
 	') dnl endif TODO

refpolicy/policy/modules/services/mta.if

@@ -1,15 +1,36 @@
 ## <summary>Policy common to all email tranfer agents.</summary>
 
 #######################################
-#
+## <summary>
-# Per user domain template for this module
+##	The per user domain template for the mta module.
-#
+## </summary>
-# mta_per_userdomain_template(userdomain_prefix)
+## <desc>
+##	<p>
+##	This template creates a derived domain which is
+##	a email transfer agent, which sends mail on
+##	behalf of the user.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
 #
 template(`mta_per_userdomain_template',`
 	type $1_mail_t; # , user_mail_domain
 	domain_type($1_mail_t)
-	role $1_r types $1_mail_t;
+	role $3 types $1_mail_t;
 
 	type $1_mail_tmp_t;
 	files_tmp_file($1_mail_tmp_t)
@@ -30,13 +51,13 @@ template(`mta_per_userdomain_template',`
 	allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
 
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
+	domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
-	allow $1_t sendmail_exec_t:lnk_file { getattr read };
+	allow $2 sendmail_exec_t:lnk_file { getattr read };
 
-	allow $1_t $1_mail_t:fd use;
+	allow $2 $1_mail_t:fd use;
-	allow $1_mail_t $1_t:fd use;
+	allow $1_mail_t $2:fd use;
-	allow $1_mail_t $1_t:fifo_file rw_file_perms;
+	allow $1_mail_t $2:fifo_file rw_file_perms;
-	allow $1_mail_t $1_t:process sigchld;
+	allow $1_mail_t $2:process sigchld;
 
 	kernel_read_kernel_sysctl($1_mail_t)
 
@@ -64,6 +85,8 @@ template(`mta_per_userdomain_template',`
 
 	sysnet_read_config($1_mail_t)
 
+	userdom_use_user_terminals($1,$1_mail_t)
+
 	tunable_policy(`use_dns',`
 		allow $1_mail_t self:udp_socket create_socket_perms;
 		corenet_udp_sendrecv_all_if($1_mail_t)
@@ -113,10 +136,6 @@ template(`mta_per_userdomain_template',`
 	allow mta_user_agent devpts_t:dir r_dir_perms;
 	allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
 
-	allow $1_mail_t $1_tty_device_t:chr_file rw_file_perms;
-	allow $1_mail_t devpts_t:dir r_dir_perms;
-	allow $1_mail_t $1_devpts_t:chr_file rw_file_perms;
-
 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
 

refpolicy/policy/modules/services/ssh.if

@@ -20,6 +20,12 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
 #
 template(`ssh_per_userdomain_template',`
 	##############################
@@ -29,14 +35,14 @@ template(`ssh_per_userdomain_template',`
 
 	type $1_home_ssh_t; #, $1_file_type;
 	files_type($1_home_ssh_t)
-	role $1_r types $1_ssh_t;
+	role $3 types $1_ssh_t;
 
 	type $1_ssh_t;
 	domain_type($1_ssh_t)
 
 	type $1_ssh_agent_t;
 	domain_type($1_ssh_agent_t)
-	role $1_r types $1_ssh_agent_t;
+	role $3 types $1_ssh_agent_t;
 
 	##############################
 	#
@@ -57,7 +63,11 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
 
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
+	domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
+	allow $2 $1_ssh_t:fd use;
+	allow $1_ssh_t $2:fd use;
+	allow $1_ssh_t $2:fifo_file rw_file_perms;
+	allow $1_ssh_t $2:process sigchld;
 
 	# Read the ssh key file.
 	allow $1_ssh_t sshd_key_t:file r_file_perms;
@@ -68,20 +78,20 @@ template(`ssh_per_userdomain_template',`
 	files_create_tmp_files($1_ssh_t, sshd_tmp_t, { file dir })
 
 	# for rsync
-	allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
+	allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
-	allow $1_ssh_t $1_t:unix_stream_socket connectto;
+	allow $1_ssh_t $2:unix_stream_socket connectto;
 
 	# user can manage the keys and config
-	allow $1_t $1_home_ssh_t:dir rw_dir_perms;
+	allow $2 $1_home_ssh_t:dir rw_dir_perms;
-	allow $1_t $1_home_ssh_t:file create_file_perms;
+	allow $2 $1_home_ssh_t:file create_file_perms;
-	allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms;
+	allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
-	allow $1_t $1_home_ssh_t:sock_file create_file_perms;
+	allow $2 $1_home_ssh_t:sock_file create_file_perms;
 
 	# inheriting stream sockets is needed for "ssh host command" as no pty
 	# is allocated
 	# cjp: should probably fix target to be an attribute for ssh servers
 	# or "regular" (not special like sshd_extern_t) servers
-	allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+	allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
 
 	# ssh client can manage the keys and config
 	allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
@@ -248,20 +258,30 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_agent_t self:process setrlimit;
 	allow $1_ssh_agent_t self:capability setgid;
 
-	allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
+	allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
 
 	allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
 
+	# for ssh-add
+	allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
+
+	# Allow the user shell to signal the ssh program.
+	allow $2 $1_ssh_agent_t:process signal;
+
 	# for the transition back to normal privs upon exec
-	allow $1_ssh_agent_t $1_t:fd use;
+	allow $1_ssh_agent_t $2:fd use;
-	allow $1_t $1_ssh_agent_t:fd use;
+	allow $2 $1_ssh_agent_t:fd use;
-	allow $1_t $1_ssh_agent_t:fifo_file rw_file_perms;
+	allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
-	allow $1_t $1_ssh_agent_t:process sigchld;
+	allow $2 $1_ssh_agent_t:process sigchld;
 
 	# Allow the ssh program to communicate with ssh-agent.
 	allow $1_ssh_t sshd_t:unix_stream_socket connectto;
 
-	domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
+	domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
+	allow $2 $1_ssh_agent_t:fd use;
+	allow $1_ssh_agent_t $2:fd use;
+	allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
+	allow $1_ssh_agent_t $2:process sigchld;
 
 	kernel_read_kernel_sysctl($1_ssh_agent_t)
 
@@ -290,6 +310,9 @@ template(`ssh_per_userdomain_template',`
 
 	seutil_dontaudit_search_config($1_ssh_agent_t)
 
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1,$1_ssh_agent_t)
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_ssh_agent_t)
 
@@ -318,11 +341,6 @@ template(`ssh_per_userdomain_template',`
 
 	ifdef(`TODO',`
 
-	# Write to the user domain tty.
-	access_terminal($1_ssh_agent_t, $1)
-
-	# Allow the user shell to signal the ssh program.
-	allow $1_t $1_ssh_agent_t:process signal;
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_agent_t)
 
@@ -333,12 +351,8 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
 	file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
 
-	# for ssh-add
-	can_unix_connect($1_t, $1_ssh_agent_t)
-
 	# transition back to normal privs upon exec
 	domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t)
-
 	allow $1_ssh_agent_t $1_home_dir_t:dir search;
 
 	allow $1_ssh_t $1_tmp_t:sock_file write;
@@ -351,7 +365,7 @@ template(`ssh_per_userdomain_template',`
 
 	# Allow the ssh program to communicate with ssh-agent.
 	allow $1_ssh_t $1_tmp_t:sock_file write;
-	allow $1_ssh_t $1_t:unix_stream_socket connectto;
+	allow $1_ssh_t $2:unix_stream_socket connectto;
 	') dnl endif TODO
 ')
 

refpolicy/policy/modules/system/authlogin.if

@@ -21,6 +21,12 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
 #
 template(`authlogin_per_userdomain_template',`
 	gen_require(`
@@ -38,8 +44,8 @@ template(`authlogin_per_userdomain_template',`
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	domain_type($1_chkpwd_t)
 	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
-	role $1_r types $1_chkpwd_t;
+	role $3 types $1_chkpwd_t;
-	role $1_r types system_chkpwd_t;
+	role $3 types system_chkpwd_t;
 
 	allow $1_chkpwd_t self:capability setuid;
 	allow $1_chkpwd_t self:process getattr;
@@ -70,16 +76,15 @@ template(`authlogin_per_userdomain_template',`
 	#can_ldap($1_chkpwd_t)
 
 	# Transition from the user domain to this domain.
-	domain_auto_trans($1_t,chkpwd_exec_t,$1_chkpwd_t)
+	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
 
-	allow $1_chkpwd_t $1_t:fd use;
+	allow $1_chkpwd_t $2:fd use;
-	allow $1_t $1_chkpwd_t:fd use;
+	allow $2 $1_chkpwd_t:fd use;
-	allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
+	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
-	allow $1_chkpwd_t $1_t:process sigchld;
+	allow $1_chkpwd_t $2:process sigchld;
 
 	# Write to the user domain tty.
-	#userdomain_use_$1_terminal($1_chkpwd_t)
+	userdom_use_user_terminals($1,$1_chkpwd_t)
-	#userdomain_use_$1_pty($1_chkpwd_t)
 
 	# Inherit and use descriptors from gnome-pty-helper.
 	#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
@@ -110,7 +115,6 @@ template(`authlogin_per_userdomain_template',`
 	optional_policy(`selinuxutil.te',`
 		seutil_use_newrole_fd($1_chkpwd_t)
 	')
-
 ')
 
 ########################################

refpolicy/policy/modules/system/corecommands.if

@@ -347,6 +347,49 @@ interface(`corecmd_exec_sbin',`
 
 ')
 
+########################################
+## <summary>
+##	Execute a file in a sbin directory
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a sbin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`corecmd_sbin_domtrans',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:lnk_file { getattr read };
+
+	domain_auto_trans($1,sbin_t,$2)
+')
+
 ########################################
 #
 # corecmd_exec_shell(domain)

refpolicy/policy/modules/system/userdomain.if

@@ -114,7 +114,7 @@ template(`base_user_template',`
 	# user domain and the program, and allow us to maintain separation
 	# between different instances of the program being run by different
 	# user domains.
-	per_userdomain_templates($1,$1_t)
+	per_userdomain_templates($1,$1_t,$1_r)
 
 	kernel_read_kernel_sysctl($1_t)
 	selinux_get_fs_mount($1_t)
@@ -865,6 +865,39 @@ template(`admin_user_template',`
 	') dnl endif TODO
 ')
 
+########################################
+## <summary>
+##	Read user home files.
+## </summary>
+## <desc>
+##	<p>
+##	Read user home files.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+template(`userdom_read_user_home_files',`
+	gen_require(`
+		class dir search;
+		class file r_file_perms;
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_t:dir search;
+	allow $2 $1_home_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute user home files.
@@ -878,23 +911,23 @@ template(`admin_user_template',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_exec_user_home_files',`
 	gen_require(`
 		class dir search;
 	')
 
-	files_search_home($1)
+	files_search_home($2)
-	allow $1 $2_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search;
-	allow $1 $2_home_t:dir search;
+	allow $2 $1_home_t:dir search;
-	can_exec($1,$2_home_t)
+	can_exec($2,$1_home_t)
 ')
 
 ########################################
@@ -912,13 +945,13 @@ template(`userdom_exec_user_home_files',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_home_subdir_files',`
 	gen_require(`
@@ -926,10 +959,10 @@ template(`userdom_manage_user_home_subdir_files',`
 		class file create_file_perms;
 	')
 
-	files_search_home($1)
+	files_search_home($2)
-	allow $1 $2_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search;
-	allow $1 $2_home_t:dir rw_dir_perms;
+	allow $2 $1_home_t:dir rw_dir_perms;
-	allow $1 $2_home_t:file create_file_perms;
+	allow $2 $1_home_t:file create_file_perms;
 ')
 
 ########################################
@@ -947,13 +980,13 @@ template(`userdom_manage_user_home_subdir_files',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_home_subdir_symlinks',`
 	gen_require(`
@@ -961,10 +994,10 @@ template(`userdom_manage_user_home_subdir_symlinks',`
 		class lnk_file create_lnk_perms;
 	')
 
-	files_search_home($1)
+	files_search_home($2)
-	allow $1 $2_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search;
-	allow $1 $2_home_t:dir rw_dir_perms;
+	allow $2 $1_home_t:dir rw_dir_perms;
-	allow $1 $2_home_t:lnk_file create_lnk_perms;
+	allow $2 $1_home_t:lnk_file create_lnk_perms;
 ')
 
 ########################################
@@ -982,21 +1015,21 @@ template(`userdom_manage_user_home_subdir_symlinks',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_tmp_dirs',`
 	gen_require(`
 		class dir create_dir_perms;
 	')
 
-	files_search_tmp($1)
+	files_search_tmp($2)
-	allow $1 $2_tmp_t:dir create_dir_perms;
+	allow $2 $1_tmp_t:dir create_dir_perms;
 ')
 
 ########################################
@@ -1014,13 +1047,13 @@ template(`userdom_manage_user_tmp_dirs',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_tmp_files',`
 	gen_require(`
@@ -1028,9 +1061,9 @@ template(`userdom_manage_user_tmp_files',`
 		class file create_file_perms;
 	')
 
-	files_search_tmp($1)
+	files_search_tmp($2)
-	allow $1 $2_tmp_t:dir rw_dir_perms;
+	allow $2 $1_tmp_t:dir rw_dir_perms;
-	allow $1 $2_tmp_t:file create_file_perms;
+	allow $2 $1_tmp_t:file create_file_perms;
 ')
 
 ########################################
@@ -1048,13 +1081,13 @@ template(`userdom_manage_user_tmp_files',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_tmp_symlinks',`
 	gen_require(`
@@ -1062,9 +1095,9 @@ template(`userdom_manage_user_tmp_symlinks',`
 		class lnk_file create_lnk_perms;
 	')
 
-	files_search_tmp($1)
+	files_search_tmp($2)
-	allow $1 $2_tmp_t:dir rw_dir_perms;
+	allow $2 $1_tmp_t:dir rw_dir_perms;
-	allow $1 $2_tmp_t:lnk_file create_lnk_perms;
+	allow $2 $1_tmp_t:lnk_file create_lnk_perms;
 ')
 
 ########################################
@@ -1082,13 +1115,13 @@ template(`userdom_manage_user_tmp_symlinks',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
@@ -1096,9 +1129,9 @@ template(`userdom_manage_user_tmp_pipes',`
 		class fifo_file create_file_perms;
 	')
 
-	files_search_tmp($1)
+	files_search_tmp($2)
-	allow $1 $2_tmp_t:dir rw_dir_perms;
+	allow $2 $1_tmp_t:dir rw_dir_perms;
-	allow $1 $2_tmp_t:fifo_file create_file_perms;
+	allow $2 $1_tmp_t:fifo_file create_file_perms;
 ')
 
 ########################################
@@ -1116,13 +1149,13 @@ template(`userdom_manage_user_tmp_pipes',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_manage_user_tmp_sockets',`
 	gen_require(`
@@ -1130,9 +1163,9 @@ template(`userdom_manage_user_tmp_sockets',`
 		class sock_file create_file_perms;
 	')
 
-	files_search_tmp($1)
+	files_search_tmp($2)
-	allow $1 $2_tmp_t:dir rw_dir_perms;
+	allow $2 $1_tmp_t:dir rw_dir_perms;
-	allow $1 $2_tmp_t:sock_file create_file_perms;
+	allow $2 $1_tmp_t:sock_file create_file_perms;
 ')
 
 ########################################
@@ -1148,22 +1181,22 @@ template(`userdom_manage_user_tmp_sockets',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 template(`userdom_use_user_terminals',`
 	gen_require(`
 		class chr_file rw_term_perms;
 	')
 
-	allow $1 $2_tty_device_t:chr_file rw_term_perms;
+	allow $2 $1_tty_device_t:chr_file rw_term_perms;
-	allow $1 $2_devpts_t:chr_file rw_term_perms;
+	allow $2 $1_devpts_t:chr_file rw_term_perms;
-	term_list_ptys($1)
+	term_list_ptys($2)
 ')
 
 ########################################