diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 0b9aa7bb..fa257c83 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,5 @@ +- Remove role change rules in su and sudo since this functionality has been + removed from these programs. - Add ctags Make target from Thomas Bleher. - Collapse commands with grep piped to sed into one sed command. - Fix type_change bug in term_user_pty(). diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index c29a0f28..c04e59e4 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -8,9 +8,6 @@ template(`su_restricted_domain_template', ` type $1_su_t; domain_entry_file($1_su_t,su_exec_t) domain_type($1_su_t) - domain_role_change_exempt($1_su_t) - domain_subj_id_change_exempt($1_su_t) - domain_obj_id_change_exempt($1_su_t) domain_wide_inherit_fd($1_su_t) role $3 types $1_su_t; @@ -48,13 +45,6 @@ template(`su_restricted_domain_template', ` files_search_var_lib($1_su_t) files_dontaudit_getattr_tmp_dir($1_su_t) - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) @@ -73,12 +63,6 @@ template(`su_restricted_domain_template', ` miscfiles_read_localization($1_su_t) - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - optional_policy(`cron',` cron_read_pipe($1_su_t) ') @@ -133,9 +117,6 @@ template(`su_per_userdomain_template',` type $1_su_t; domain_entry_file($1_su_t,su_exec_t) domain_type($1_su_t) - domain_role_change_exempt($1_su_t) - domain_subj_id_change_exempt($1_su_t) - domain_obj_id_change_exempt($1_su_t) domain_wide_inherit_fd($1_su_t) role $3 types $1_su_t; @@ -169,20 +150,6 @@ template(`su_per_userdomain_template',` fs_search_auto_mountpoints($1_su_t) - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - # Relabel ttys and ptys. - term_relabel_all_user_ttys($1_su_t) - term_relabel_all_user_ptys($1_su_t) - # Close and re-open ttys and ptys to get the fd into the correct domain. - term_use_all_user_ttys($1_su_t) - term_use_all_user_ptys($1_su_t) - auth_domtrans_user_chk_passwd($1,$1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) @@ -208,27 +175,11 @@ template(`su_per_userdomain_template',` miscfiles_read_localization($1_su_t) - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - userdom_use_user_terminals($1,$1_su_t) userdom_search_user_home($1,$1_su_t) ifdef(`enable_polyinstantiation',` - mls_file_read_up($1_su_t) - mls_file_write_down($1_su_t) - mls_file_upgrade($1_su_t) - mls_file_downgrade($1_su_t) - mls_process_set_level($1_su_t) - - # Su can polyinstantiate - files_polyinstantiate_all($1_su_t) - - # Su needs additional permission to mount over a previous mount - files_mounton_all_poly_members($1_su_t) - - # Su has to unmount polyinstantiated directories (like home) - # that should not be polyinstantiated under the new user + fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) ') @@ -243,22 +194,6 @@ template(`su_per_userdomain_template',` corecmd_exec_bin($1_su_t) userdom_manage_all_user_files($1_su_t) userdom_manage_all_user_symlinks($1_su_t) - - # newrole does not make any sense in - # the targeted policy. This is to - # make sediff easier. - if(!secure_mode) { - unconfined_domtrans($1_su_t) - unconfined_signal($1_su_t) - } - ',` - if(secure_mode) { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } ') tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 75a475af..49b17e7f 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -43,10 +43,6 @@ template(`sudo_per_userdomain_template',` domain_type($1_sudo_t) domain_entry_file($1_sudo_t,sudo_exec_t) domain_wide_inherit_fd($1_sudo_t) - domain_subj_id_change_exempt($1_sudo_t) - domain_role_change_exempt($1_sudo_t) - domain_obj_id_change_exempt($1_sudo_t) - role $3 types $1_sudo_t; ############################## @@ -92,18 +88,6 @@ template(`sudo_per_userdomain_template',` fs_search_auto_mountpoints($1_sudo_t) fs_getattr_xattr_fs($1_sudo_t) - selinux_get_fs_mount($1_sudo_t) - selinux_validate_context($1_sudo_t) - selinux_compute_access_vector($1_sudo_t) - selinux_compute_create_context($1_sudo_t) - selinux_compute_relabel_context($1_sudo_t) - selinux_compute_user_contexts($1_sudo_t) - - term_use_all_user_ttys($1_sudo_t) - term_use_all_user_ptys($1_sudo_t) - term_relabel_all_user_ttys($1_sudo_t) - term_relabel_all_user_ptys($1_sudo_t) - auth_domtrans_chk_passwd($1_sudo_t) corecmd_getattr_bin_file($1_sudo_t) @@ -130,31 +114,15 @@ template(`sudo_per_userdomain_template',` miscfiles_read_localization($1_sudo_t) - mls_file_read_up($1_sudo_t) - mls_file_write_down($1_sudo_t) - mls_file_upgrade($1_sudo_t) - mls_file_downgrade($1_sudo_t) - mls_process_set_level($1_sudo_t) - - seutil_read_config($1_sudo_t) - seutil_read_default_contexts($1_sudo_t) - userdom_manage_user_home_subdir_files($1,$1_sudo_t) userdom_manage_user_home_subdir_symlinks($1,$1_sudo_t) userdom_manage_user_tmp_files($1,$1_sudo_t) userdom_manage_user_tmp_symlinks($1,$1_sudo_t) + userdom_use_user_terminals($1,$1_sudo_t) userdom_use_unpriv_users_fd($1_sudo_t) # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home($1_sudo_t) - # if secure mode is enabled, then sudo - # can only transition to unprivileged users - if(secure_mode) { - userdom_spec_domtrans_unpriv_users($1_sudo_t) - } else { - userdom_spec_domtrans_all_users($1_sudo_t) - } - optional_policy(`nis',` nis_use_ypbind($1_sudo_t) ')