add polyinstantiation.

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Add polyinstantiation build option.
 - Add setcontext to the association object class.
 - Add apache relay and db connect tunables.
 - Rename texrel_shlib_t to textrel_shlib_t.

refpolicy/Makefile

@@ -109,6 +109,11 @@ ifneq ($(DISTRO),)
 	override M4PARAM += -D distro_$(DISTRO)
 endif
 
+# enable polyinstantiation
+ifeq ($(POLY),y)
+	override M4PARAM += -D enable_polyinstantiation
+endif
+
 ifneq ($(OUTPUT_POLICY),)
 	override CHECKPOLICY += -c $(OUTPUT_POLICY)
 endif

refpolicy/build.conf

@@ -42,5 +42,9 @@ DIRECT_INITRC=n
 # will build a loadable module policy.
 MONOLITHIC=y
 
+# Polyinstantiation
+# Enable polyinstantiated directory support.
+POLY=n
+
 # Uncomment this to disable command echoing
 #QUIET:=@

refpolicy/policy/modules/admin/su.if

@@ -212,6 +212,24 @@ template(`su_per_userdomain_template',`
 	userdom_use_user_terminals($1,$1_su_t)
 	userdom_search_user_home($1,$1_su_t)
 
+	ifdef(`enable_polyinstantiation',`
+		mls_file_read_up($1_su_t)
+		mls_file_write_down($1_su_t)
+		mls_file_upgrade($1_su_t)
+		mls_file_downgrade($1_su_t)
+		mls_process_set_level($1_su_t)
+
+		# Su can polyinstantiate
+		files_polyinstantiate_all($1_su_t)
+
+		# Su needs additional permission to mount over a previous mount
+		files_mounton_all_poly_members($1_su_t)
+
+		# Su has to unmount polyinstantiated directories (like home)
+		# that should not be polyinstantiated under the new user
+		fs_unmount_xattr_fs($1_su_t)
+	')
+
 	ifdef(`targeted_policy',`
 		# allow user to suspend terminal.
 		# does not work in strict since the
@@ -262,23 +280,6 @@ template(`su_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-
-	ifdef(`support_polyinstantiation', `
-	mls_file_read_up($1_su_t)
-	mls_file_write_down($1_su_t)
-	mls_file_upgrade($1_su_t)
-	mls_file_downgrade($1_su_t)
-	mls_process_set_level($1_su_t)
-
-	# Su can polyinstantiate
-	polyinstantiater($1_su_t)
-	# Su has to unmount polyinstantiated directories (like home)
-	# that should not be polyinstantiated under the new user
-	allow $1_su_t fs_t:filesystem unmount;
-	# Su needs additional permission to mount over a previous mount
-	allow $1_su_t polymember:dir mounton;
-	')
-
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
 

refpolicy/policy/modules/admin/su.te

@@ -1,5 +1,5 @@
 
-policy_module(su,1.1.1)
+policy_module(su,1.1.2)
 
 ########################################
 #

refpolicy/policy/modules/kernel/files.if

@@ -3044,6 +3044,23 @@ interface(`files_read_all_pids',`
 	allow $1 pidfile:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Mount filesystems on all polyinstantiation
+##	member directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_mounton_all_poly_members',`
+	gen_require(`
+		attribute polymember;
+	')
+
+	allow $1 polymember:dir mounton;
+')
+
 ########################################
 #
 # files_delete_all_pids(domain)
@@ -3153,6 +3170,47 @@ interface(`files_manage_generic_spools',`
 	allow $1 var_spool_t:file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow access to manage all polyinstantiated
+##	directories on the system.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_polyinstantiate_all',`
+	gen_require(`
+		attribute polydir, polymember, polyparent;
+		type poly_t;
+	')
+
+	# Need to give access to /selinux/member
+	selinux_compute_member($1)
+
+	# Need sys_admin capability for mounting
+	allow $1 self:capability sys_admin;
+
+	# Need to give access to the directories to be polyinstantiated
+	allow $1 polydir:dir { create getattr search write add_name setattr mounton };
+
+	# Need to give access to the polyinstantiated subdirectories
+	allow $1 polymember:dir search_dir_perms;
+
+	# Need to give access to parent directories where original
+	# is remounted for polyinstantiation aware programs (like gdm)
+	allow $1 polyparent:dir { getattr mounton };
+
+	# Need to give permission to create directories where applicable
+	allow $1 self:process setfscreate;
+	allow $1 polymember: dir { create setattr };
+	allow $1 polydir: dir { write add_name };
+	allow $1 polyparent:dir { write add_name };
+
+	# Default type for mountpoints
+	allow $1 poly_t:dir { create mounton };
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to files.

refpolicy/policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.0.0)
+policy_module(files,1.0.1)
 
 ########################################
 #

refpolicy/policy/modules/system/userdomain.if

@@ -228,6 +228,8 @@ template(`base_user_template',`
 
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
+	# Check to see if cdrom is mounted
+	files_search_mnt($1_t)
 	# old broswer_domain():
 	files_dontaudit_list_non_security($1_t)
 	files_dontaudit_getattr_non_security_files($1_t)
@@ -443,9 +445,6 @@ template(`base_user_template',`
 	#
 	dontaudit $1_t usr_t:file setattr;
 
-	# Check to see if cdrom is mounted
-	allow $1_t mnt_t:dir { getattr search };
-
 	# /initrd is left mounted, various programs try to look at it
 	dontaudit $1_t ramfs_t:dir getattr;
 
@@ -601,7 +600,7 @@ template(`unpriv_user_template', `
 
 	ifdef(`enable_polyinstantiation',`
 		type_member $1_t $1_home_dir_t:dir $1_home_t;
-		files_poly_member_tmp($1_t)
+		files_poly_member_tmp($1_t,$1_tmp_t)
 	')
 
 	tunable_policy(`user_dmesg',`
@@ -659,9 +658,9 @@ template(`unpriv_user_template', `
 	')
 
 	ifdef(`TODO',`
-
 	ifdef(`enable_mls',`',`
 		fs_exec_noxattr($1_t)
+
 		tunable_policy(`user_rw_noexattrfile',`
 			create_dir_file($1_t, noexattrfile)
 			# Write floppies 

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.1.2)
+policy_module(userdomain,1.1.3)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r, secadm_r;