selinux-policy/policy-rawhide-roleattribute.patch
2012-06-07 10:30:58 -04:00

1129 lines
32 KiB
Diff

commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 02:18:29 2012 +0200
roleattribute patch
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 4a50807..5e914db 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -56,11 +56,21 @@ interface(`bootloader_exec',`
#
interface(`bootloader_run',`
gen_require(`
- attribute_role bootloader_roles;
+ type bootloader_t;
+ #attribute_role bootloader_roles;
')
+ #bootloader_domtrans($1)
+ #roleattribute $2 bootloader_roles;
+
bootloader_domtrans($1)
- roleattribute $2 bootloader_roles;
+
+ role $2 types bootloader_t;
+
+ ifdef(`distro_redhat',`
+ # for mke2fs
+ mount_run(bootloader_t, $2)
+ ')
')
########################################
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 81a08e4..e717a21 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
# Declarations
#
-attribute_role bootloader_roles;
-roleattribute system_r bootloader_roles;
+#attribute_role bootloader_roles;
+#roleattribute system_r bootloader_roles;
#
# boot_runtime_t is the type for /boot/kernel.h,
@@ -19,7 +19,8 @@ files_type(boot_runtime_t)
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
-role bootloader_roles types bootloader_t;
+#role bootloader_roles types bootloader_t;
+role system_r types bootloader_t;
#
# bootloader_etc_t is the configuration file,
@@ -174,7 +175,8 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
- mount_run(bootloader_t, bootloader_roles)
+ #mount_run(bootloader_t, bootloader_roles)
+ mount_domtrans(bootloader_t)
optional_policy(`
unconfined_domain(bootloader_t)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 4d387af..764260e 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
#
interface(`usermanage_run_chfn',`
gen_require(`
- attribute_role chfn_roles;
+ #attribute_role chfn_roles;
+ type chfn_t;
')
+ #usermanage_domtrans_chfn($1)
+ #roleattribute $2 chfn_roles;
+
usermanage_domtrans_chfn($1)
- roleattribute $2 chfn_roles;
+ role $2 types chfn_t;
+
')
########################################
@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',`
#
interface(`usermanage_run_groupadd',`
gen_require(`
- attribute_role groupadd_roles;
+ type groupadd_t;
+ #attribute_role groupadd_roles;
')
+ #usermanage_domtrans_groupadd($1)
+ #roleattribute $2 groupadd_roles;
usermanage_domtrans_groupadd($1)
- roleattribute $2 groupadd_roles;
+ role $2 types groupadd_t;
+
+ optional_policy(`
+ nscd_run(groupadd_t, $2)
+ ')
+
')
########################################
@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',`
#
interface(`usermanage_run_passwd',`
gen_require(`
- attribute_role passwd_roles;
+ type type passwd_t;
+ #attribute_role passwd_roles;
')
+ #usermanage_domtrans_passwd($1)
+ #roleattribute $2 passwd_roles;
+
usermanage_domtrans_passwd($1)
- roleattribute $2 passwd_roles;
+ role $2 types passwd_t;
+ auth_run_chk_passwd(passwd_t, $2)
+
')
########################################
@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',`
#
interface(`usermanage_run_admin_passwd',`
gen_require(`
- attribute_role sysadm_passwd_roles;
+ type sysadm_passwd_t;
+ #attribute_role sysadm_passwd_roles;
')
+ #usermanage_domtrans_admin_passwd($1)
+ #roleattribute $2 sysadm_passwd_roles;
+
usermanage_domtrans_admin_passwd($1)
- roleattribute $2 sysadm_passwd_roles;
+ role $2 types sysadm_passwd_t;
+
+ optional_policy(`
+ nscd_run(sysadm_passwd_t, $2)
+ ')
+
')
########################################
@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',`
#
interface(`usermanage_run_useradd',`
gen_require(`
- attribute_role useradd_roles;
+ #attribute_role useradd_roles;
+ type sysadm_passwd_t;
')
- usermanage_domtrans_useradd($1)
- roleattribute $2 useradd_roles;
+ #usermanage_domtrans_useradd($1)
+ #roleattribute $2 useradd_roles;
+
+ usermanage_domtrans_admin_passwd($1)
+ role $2 types sysadm_passwd_t;
+
+ optional_policy(`
+ nscd_run(sysadm_passwd_t, $2)
+ ')
+
')
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 446b743..a077b28 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
# Declarations
#
-attribute_role chfn_roles;
-role system_r types chfn_t;
+#attribute_role chfn_roles;
+#role system_r types chfn_t;
-attribute_role groupadd_roles;
+#attribute_role groupadd_roles;
-attribute_role passwd_roles;
-roleattribute system_r passwd_roles;
+#attribute_role passwd_roles;
+#roleattribute system_r passwd_roles;
-attribute_role sysadm_passwd_roles;
-roleattribute system_r sysadm_passwd_roles;
+#attribute_role sysadm_passwd_roles;
+#roleattribute system_r sysadm_passwd_roles;
-attribute_role useradd_roles;
+#attribute_role useradd_roles;
type admin_passwd_exec_t;
files_type(admin_passwd_exec_t)
@@ -25,7 +25,8 @@ type chfn_t;
type chfn_exec_t;
domain_obj_id_change_exemption(chfn_t)
application_domain(chfn_t, chfn_exec_t)
-role chfn_roles types chfn_t;
+#role chfn_roles types chfn_t;
+role system_r types chfn_t;
type crack_t;
type crack_exec_t;
@@ -42,18 +43,21 @@ type groupadd_t;
type groupadd_exec_t;
domain_obj_id_change_exemption(groupadd_t)
init_system_domain(groupadd_t, groupadd_exec_t)
-role groupadd_roles types groupadd_t;
+#role groupadd_roles types groupadd_t;
+
type passwd_t;
type passwd_exec_t;
domain_obj_id_change_exemption(passwd_t)
application_domain(passwd_t, passwd_exec_t)
-role passwd_roles types passwd_t;
+#role passwd_roles types passwd_t;
+role system_r types passwd_t;
type sysadm_passwd_t;
domain_obj_id_change_exemption(sysadm_passwd_t)
application_domain(sysadm_passwd_t, admin_passwd_exec_t)
-role sysadm_passwd_roles types sysadm_passwd_t;
+#role sysadm_passwd_roles types sysadm_passwd_t;
+role system_r types sysadm_passwd_t;
type sysadm_passwd_tmp_t;
files_tmp_file(sysadm_passwd_tmp_t)
@@ -62,7 +66,8 @@ type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exemption(useradd_t)
init_system_domain(useradd_t, useradd_exec_t)
-role useradd_roles types useradd_t;
+#role useradd_roles types useradd_t;
+role system_r types useradd_t;
########################################
#
@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t)
dev_read_urand(chfn_t)
dev_dontaudit_getattr_all(chfn_t)
-#auth_manage_passwd(chfn_t)
-#auth_use_pam(chfn_t)
-auth_run_chk_passwd(chfn_t, chfn_roles)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_manage_passwd(chfn_t)
+auth_use_pam(chfn_t)
+#auth_run_chk_passwd(chfn_t, chfn_roles)
+#auth_dontaudit_read_shadow(chfn_t)
+#auth_use_nsswitch(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
-auth_run_chk_passwd(groupadd_t, groupadd_roles)
+#auth_run_chk_passwd(groupadd_t, groupadd_roles)
+auth_domtrans_chk_passwd(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
auth_manage_passwd(groupadd_t)
@@ -273,7 +279,8 @@ optional_policy(`
')
optional_policy(`
- nscd_run(groupadd_t, groupadd_roles)
+# nscd_run(groupadd_t, groupadd_roles)
+ nscd_domtrans(groupadd_t)
')
optional_policy(`
@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_inherited_terms(passwd_t)
term_getattr_all_ptys(passwd_t)
-#auth_manage_passwd(passwd_t)
-#auth_manage_shadow(passwd_t)
-#auth_relabel_shadow(passwd_t)
-#auth_etc_filetrans_shadow(passwd_t)
-#auth_use_pam(passwd_t)
-
-auth_run_chk_passwd(passwd_t, passwd_roles)
auth_manage_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
+
+#auth_run_chk_passwd(passwd_t, passwd_roles)
+#auth_manage_passwd(passwd_t)
+#auth_manage_shadow(passwd_t)
+#auth_relabel_shadow(passwd_t)
+#auth_etc_filetrans_shadow(passwd_t)
+#auth_use_nsswitch(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t)
userdom_stream_connect(passwd_t)
optional_policy(`
- nscd_run(passwd_t, passwd_roles)
+ #nscd_run(passwd_t, passwd_roles)
+ nscd_domtrans(passwd_t)
')
########################################
@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
optional_policy(`
- nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+ nscd_domtrans(sysadm_passwd_t)
+ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
')
########################################
@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t)
term_use_all_inherited_terms(useradd_t)
term_getattr_all_ptys(useradd_t)
-auth_run_chk_passwd(useradd_t, useradd_roles)
+#auth_run_chk_passwd(useradd_t, useradd_roles)
+auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t)
seutil_read_config(useradd_t)
seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
-#seutil_domtrans_semanage(useradd_t)
-#seutil_domtrans_setfiles(useradd_t)
-#seutil_domtrans_loadpolicy(useradd_t)
-#seutil_manage_bin_policy(useradd_t)
-#seutil_manage_module_store(useradd_t)
-#seutil_get_semanage_trans_lock(useradd_t)
-#seutil_get_semanage_read_lock(useradd_t)
-seutil_run_semanage(useradd_t, useradd_roles)
-seutil_run_setfiles(useradd_t, useradd_roles)
+seutil_domtrans_semanage(useradd_t)
+seutil_domtrans_setfiles(useradd_t)
+seutil_domtrans_loadpolicy(useradd_t)
+seutil_manage_bin_policy(useradd_t)
+seutil_manage_module_store(useradd_t)
+seutil_get_semanage_trans_lock(useradd_t)
+seutil_get_semanage_read_lock(useradd_t)
+#seutil_run_semanage(useradd_t, useradd_roles)
+#seutil_run_setfiles(useradd_t, useradd_roles)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -576,7 +586,8 @@ optional_policy(`
')
optional_policy(`
- nscd_run(useradd_t, useradd_roles)
+ nscd_domtrans(useradd_t)
+# nscd_run(useradd_t, useradd_roles)
')
optional_policy(`
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 174cfdb..7071460 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -38,11 +38,22 @@ interface(`iptables_domtrans',`
#
interface(`iptables_run',`
gen_require(`
- attribute_role iptables_roles;
+ #attribute_role iptables_roles;
+ type iptables_t;
')
+ #iptables_domtrans($1)
+ #roleattribute $2 iptables_roles;
+
iptables_domtrans($1)
- roleattribute $2 iptables_roles;
+ role $2 types iptables_t;
+
+ sysnet_run_ifconfig(iptables_t, $2)
+
+ optional_policy(`
+ modutils_run_insmod(iptables_t, $2)
+ ')
+
')
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index cc8d773..36e02fa 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0)
# Declarations
#
-attribute_role iptables_roles;
-roleattribute system_r iptables_roles;
+#attribute_role iptables_roles;
+#roleattribute system_r iptables_roles;
type iptables_t;
type iptables_exec_t;
init_system_domain(iptables_t, iptables_exec_t)
-role iptables_roles types iptables_t;
+#role iptables_roles types iptables_t;
+role system_r types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t)
miscfiles_read_localization(iptables_t)
-sysnet_run_ifconfig(iptables_t, iptables_roles)
+#sysnet_run_ifconfig(iptables_t, iptables_roles)
+sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
userdom_use_inherited_user_terminals(iptables_t)
@@ -119,7 +121,8 @@ optional_policy(`
')
optional_policy(`
- modutils_run_insmod(iptables_t, iptables_roles)
+ modutils_domtrans_insmod(iptables_t)
+ #modutils_run_insmod(iptables_t, iptables_roles)
')
optional_policy(`
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 786f87a..2debedc 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
- attribute_role update_modules_roles;
+ #attribute_role update_modules_roles;
+ type update_modules_t;
')
+ #modutils_domtrans_update_mods($1)
+ #roleattribute $2 update_modules_roles;
+
modutils_domtrans_update_mods($1)
- roleattribute $2 update_modules_roles;
+ role $2 types update_modules_t;
+
+ modutils_run_insmod(update_modules_t, $2)
+
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b83608d..86a7107 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1)
# Declarations
#
-attribute_role update_modules_roles;
+#attribute_role update_modules_roles;
type depmod_t;
type depmod_exec_t;
@@ -30,8 +30,9 @@ files_type(modules_dep_t)
type update_modules_t;
type update_modules_exec_t;
init_system_domain(update_modules_t, update_modules_exec_t)
-roleattribute system_r update_modules_roles;
-role update_modules_roles types update_modules_t;
+#roleattribute system_r update_modules_roles;
+#role update_modules_roles types update_modules_t;
+role system_r types update_modules_t;
type update_modules_tmp_t;
files_tmp_file(update_modules_tmp_t)
@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
-modutils_run_insmod(update_modules_t, update_modules_roles)
+#modutils_run_insmod(update_modules_t, update_modules_roles)
userdom_use_inherited_user_terminals(update_modules_t)
userdom_dontaudit_search_user_home_dirs(update_modules_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 52e78b8..4881d86 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -44,11 +44,36 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
- attribute_role mount_roles;
+ #attribute_role mount_roles;
+ type mount_t;
')
+ #mount_domtrans($1)
+ #roleattribute $2 mount_roles;
+
mount_domtrans($1)
- roleattribute $2 mount_roles;
+ role $2 types mount_t;
+
+ optional_policy(`
+ fstools_run(mount_t, $2)
+ ')
+
+ optional_policy(`
+ lvm_run(mount_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(mount_t, $2)
+ ')
+
+ optional_policy(`
+ rpc_run_rpcd(mount_t, $2)
+ ')
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
+ ')
+
')
########################################
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index cc76452..14320fe 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2)
## </desc>
gen_tunable(allow_mount_anyfile, false)
-attribute_role mount_roles;
-roleattribute system_r mount_roles;
+#attribute_role mount_roles;
+#roleattribute system_r mount_roles;
type mount_t;
type mount_exec_t;
init_system_domain(mount_t, mount_exec_t)
-role mount_roles types mount_t;
+#role mount_roles types mount_t;
+role system_r types mount_t;
type fusermount_exec_t;
domain_entry_file(mount_t, fusermount_exec_t)
@@ -286,25 +287,28 @@ optional_policy(`
# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
optional_policy(`
- lvm_run(mount_t, mount_roles)
+# lvm_run(mount_t, mount_roles)
+ lvm_domtrans(mount_t)
')
optional_policy(`
- modutils_run_insmod(mount_t, mount_roles)
+ #modutils_run_insmod(mount_t, mount_roles)
+ modutils_domtrans_insmod(mount_t)
modutils_read_module_deps(mount_t)
')
optional_policy(`
- fstools_run(mount_t, mount_roles)
+ fstools_domtrans(mount_t)
+ #fstools_run(mount_t, mount_roles)
')
optional_policy(`
rhcs_stream_connect_gfs_controld(mount_t)
')
-optional_policy(`
- rpc_run_rpcd(mount_t, mount_roles)
-')
+#optional_policy(`
+# rpc_run_rpcd(mount_t, mount_roles)
+#')
# for kernel package installation
optional_policy(`
@@ -314,7 +318,8 @@ optional_policy(`
optional_policy(`
samba_read_config(mount_t)
- samba_run_smbmount(mount_t, mount_roles)
+ samba_domtrans_smbmount(mount_t)
+ #samba_run_smbmount(mount_t, mount_roles)
')
optional_policy(`
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index a853819..cebf588 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
#
interface(`seutil_run_newrole',`
gen_require(`
- attribute_role newrole_roles;
+ type newrole_t;
+ #attribute_role newrole_roles;
')
+ #seutil_domtrans_newrole($1)
+ #roleattribute $2 newrole_roles;
+
seutil_domtrans_newrole($1)
- roleattribute $2 newrole_roles;
+ role $2 types newrole_t;
+
+ auth_run_upd_passwd(newrole_t, $2)
+
+ optional_policy(`
+ namespace_init_run(newrole_t, $2)
+ ')
+
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2aee0c0..4c24e3e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy;
attribute setfiles_domain;
attribute seutil_semanage_domain;
-attribute_role newrole_roles;
+#attribute_role newrole_roles;
attribute_role run_init_roles;
role system_r types run_init_t;
@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t)
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
domain_interactive_fd(newrole_t)
-role newrole_roles types newrole_t;
+#role newrole_roles types newrole_t;
+role system_r types newrole_t;
#
# policy_config_t is the type of /etc/security/selinux/*
@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
-auth_use_nsswitch(newrole_t)
-auth_run_chk_passwd(newrole_t, newrole_roles)
-auth_run_upd_passwd(newrole_t, newrole_roles)
-auth_rw_faillog(newrole_t)
+#auth_use_nsswitch(newrole_t)
+#auth_run_chk_passwd(newrole_t, newrole_roles)
+#auth_run_upd_passwd(newrole_t, newrole_roles)
+#auth_rw_faillog(newrole_t)
+auth_use_pam(newrole_t)
# Write to utmp.
init_rw_utmp(newrole_t)
@@ -322,9 +324,9 @@ optional_policy(`
dbus_system_bus_client(newrole_t)
')
-optional_policy(`
- namespace_init_run(newrole_t, newrole_roles)
-')
+#optional_policy(`
+# namespace_init_run(newrole_t, newrole_roles)
+#')
optional_policy(`
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 7b08f77..949fdcc 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
#
interface(`sysnet_run_dhcpc',`
gen_require(`
- attribute_role dhcpc_roles;
+ type dhcpc_t;
+ #attribute_role dhcpc_roles;
')
+ #sysnet_domtrans_dhcpc($1)
+ #roleattribute $2 dhcpc_roles;
+
sysnet_domtrans_dhcpc($1)
- roleattribute $2 dhcpc_roles;
+ role $2 types dhcpc_t;
+
+ modutils_run_insmod(dhcpc_t, $2)
+
+ sysnet_run_ifconfig(dhcpc_t, $2)
+
+ optional_policy(`
+ hostname_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ netutils_run(dhcpc_t, $2)
+ netutils_run_ping(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ networkmanager_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nis_run_ypbind(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nscd_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ ntp_run(dhcpc_t, $2)
+ ')
+
+ seutil_run_setfiles(dhcpc_t, $2)
+
')
########################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 2d2b6ef..1bfcd4f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2)
## </desc>
gen_tunable(dhcpc_exec_iptables, false)
-attribute_role dhcpc_roles;
-roleattribute system_r dhcpc_roles;
+#attribute_role dhcpc_roles;
+#roleattribute system_r dhcpc_roles;
# this is shared between dhcpc and dhcpd:
type dhcp_etc_t;
@@ -27,7 +27,8 @@ files_type(dhcp_state_t)
type dhcpc_t;
type dhcpc_exec_t;
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
-role dhcpc_roles types dhcpc_t;
+#role dhcpc_roles types dhcpc_t;
+role system_r types dhcpc_t;
type dhcpc_helper_exec_t;
init_script_file(dhcpc_helper_exec_t)
@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t)
miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
+#modutils_run_insmod(dhcpc_t, dhcpc_roles)
+modutils_domtrans_insmod(dhcpc_t)
+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
-sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',`
')
')
-optional_policy(`
- consoletype_run(dhcpc_t, dhcpc_roles)
-')
+#optional_policy(`
+# consoletype_run(dhcpc_t, dhcpc_roles)
+#')
optional_policy(`
chronyd_initrc_domtrans(dhcpc_t)
@@ -203,7 +205,8 @@ optional_policy(`
')
optional_policy(`
- hostname_run(dhcpc_t, dhcpc_roles)
+ hostname_domtrans(dhcpc_t)
+# hostname_run(dhcpc_t, dhcpc_roles)
')
optional_policy(`
commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 02:26:53 2012 +0200
roleattribute patch for passwd_t
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 764260e..da75471 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',`
#
interface(`usermanage_run_passwd',`
gen_require(`
- type type passwd_t;
+ type passwd_t;
#attribute_role passwd_roles;
')
commit 0b71245f63ddbb6ca00790fa5318db798286d8d8
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 02:38:28 2012 +0200
Fix also for sysnetwork.te
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 1bfcd4f..3a94d52 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -226,8 +226,10 @@ optional_policy(`
# for the dhcp client to run ping to check IP addresses
optional_policy(`
- netutils_run_ping(dhcpc_t, dhcpc_roles)
- netutils_run(dhcpc_t, dhcpc_roles)
+ #netutils_run_ping(dhcpc_t, dhcpc_roles)
+ #netutils_run(dhcpc_t, dhcpc_roles)
+ netutils_domtrans_ping(dhcpc_t)
+ netutils_domtrans(dhcpc_t
',`
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 02:41:48 2012 +0200
Other
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3a94d52..6a6f03f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -229,7 +229,7 @@ optional_policy(`
#netutils_run_ping(dhcpc_t, dhcpc_roles)
#netutils_run(dhcpc_t, dhcpc_roles)
netutils_domtrans_ping(dhcpc_t)
- netutils_domtrans(dhcpc_t
+ netutils_domtrans(dhcpc_t)
',`
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 08:10:01 2012 +0200
Fix passwd
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a077b28..396909c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
mls_process_read_to_clearance(useradd_t)
-seutil_semanage_policy(useradd_t)
-seutil_manage_file_contexts(useradd_t)
-seutil_manage_config(useradd_t)
-seutil_manage_default_contexts(useradd_t)
-
term_use_all_inherited_terms(useradd_t)
term_getattr_all_ptys(useradd_t)
@@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
+seutil_semanage_policy(useradd_t)
+seutil_manage_file_contexts(useradd_t)
+seutil_manage_config(useradd_t)
+seutil_manage_default_contexts(useradd_t)
+
seutil_read_config(useradd_t)
seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
seutil_domtrans_loadpolicy(useradd_t)
-seutil_manage_bin_policy(useradd_t)
-seutil_manage_module_store(useradd_t)
+#seutil_manage_bin_policy(useradd_t)
+#seutil_manage_module_store(useradd_t)
seutil_get_semanage_trans_lock(useradd_t)
seutil_get_semanage_read_lock(useradd_t)
#seutil_run_semanage(useradd_t, useradd_roles)
commit db92f5bcb6fe7f86aae12dffe64ec3d920815343
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 08:30:34 2012 +0200
Also for semanage_roles
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index cebf588..7e38077 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',`
#
interface(`seutil_run_semanage',`
gen_require(`
- attribute_role semanage_roles;
+ #attribute_role semanage_roles;
+ type semanage_t;
')
+ #seutil_domtrans_semanage($1)
+ #roleattribute $2 semanage_roles;
+
seutil_domtrans_semanage($1)
- roleattribute $2 semanage_roles;
+ seutil_run_setfiles(semanage_t, $2)
+ seutil_run_loadpolicy(semanage_t, $2)
+ role $2 types semanage_t;
+
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4c24e3e..90498cd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -19,8 +19,8 @@ attribute seutil_semanage_domain;
attribute_role run_init_roles;
role system_r types run_init_t;
-attribute_role semanage_roles;
-roleattribute system_r semanage_roles;
+#attribute_role semanage_roles;
+#roleattribute system_r semanage_roles;
#
# selinux_config_t is the type applied to
@@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t)
dbus_system_domain(semanage_t, semanage_exec_t)
init_daemon_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
-role semanage_roles types semanage_t;
+#role semanage_roles types semanage_t;
+role system_r types semanage_t;
type setsebool_t;
type setsebool_exec_t;
@@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
-
-seutil_run_setfiles(semanage_t, semanage_roles)
-seutil_run_loadpolicy(semanage_t, semanage_roles)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+seutil_domtrans_setfiles(semanage_t)
+
+#seutil_run_setfiles(semanage_t, semanage_roles)
+#seutil_run_loadpolicy(semanage_t, semanage_roles)
+#seutil_manage_bin_policy(semanage_t)
+#seutil_use_newrole_fds(semanage_t)
+#seutil_manage_module_store(semanage_t)
+#seutil_get_semanage_trans_lock(semanage_t)
+#seutil_get_semanage_read_lock(semanage_t)
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
commit aebf9204ec2a7cfb943327eb3aace2a9b4130769
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 08:38:22 2012 +0200
run_init roles
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 7e38077..6903c5e 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
#
interface(`seutil_run_runinit',`
gen_require(`
- attribute_role run_init_roles;
+ #attribute_role run_init_roles;
+ type run_init_t;
+ role system_r;
')
- seutil_domtrans_runinit($1)
- roleattribute $2 run_init_roles;
+ #seutil_domtrans_runinit($1)
+ #roleattribute $2 run_init_roles;
+
+ auth_run_chk_passwd(run_init_t, $2)
+ seutil_domtrans_runinit($1)
+ role $2 types run_init_t;
+
+ allow $2 system_r;
+
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 90498cd..06b4e9a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -16,8 +16,8 @@ attribute seutil_semanage_domain;
#attribute_role newrole_roles;
-attribute_role run_init_roles;
-role system_r types run_init_t;
+#attribute_role run_init_roles;
+#role system_r types run_init_t;
#attribute_role semanage_roles;
#roleattribute system_r semanage_roles;
@@ -102,7 +102,8 @@ type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
-role run_init_roles types run_init_t;
+#role run_init_roles types run_init_t;
+role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
@@ -412,7 +413,7 @@ optional_policy(`
# Run_init local policy
#
-allow run_init_roles system_r;
+#allow run_init_roles system_r;
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
@@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t)
term_use_console(run_init_t)
+#auth_use_nsswitch(run_init_t)
+#auth_run_chk_passwd(run_init_t, run_init_roles)
+#auth_run_upd_passwd(run_init_t, run_init_roles)
+#auth_dontaudit_read_shadow(run_init_t)
+
auth_use_nsswitch(run_init_t)
-auth_run_chk_passwd(run_init_t, run_init_roles)
-auth_run_upd_passwd(run_init_t, run_init_roles)
+auth_domtrans_chk_passwd(run_init_t)
+auth_domtrans_upd_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
+
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:01:51 2012 +0200
One more for run_init
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 6903c5e..b64a37a 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -502,11 +502,19 @@ interface(`seutil_run_runinit',`
#
interface(`seutil_init_script_run_runinit',`
gen_require(`
- attribute_role run_init_roles;
+ #attribute_role run_init_roles;
+ type run_init_t;
+ role system_r;
')
- seutil_init_script_domtrans_runinit($1)
- roleattribute $2 run_init_roles;
+ #seutil_init_script_domtrans_runinit($1)
+ #roleattribute $2 run_init_roles;
+ auth_run_chk_passwd(run_init_t, $2)
+ seutil_init_script_domtrans_runinit($1)
+ role $2 types run_init_t;
+
+ allow $2 system_r;
+
')
########################################