diff --git a/policy-rawhide-roleattribute.patch b/policy-rawhide-roleattribute.patch deleted file mode 100644 index ee99cdb..0000000 --- a/policy-rawhide-roleattribute.patch +++ /dev/null @@ -1,1128 +0,0 @@ -commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b -Author: Miroslav Grepl -Date: Thu Jun 7 02:18:29 2012 +0200 - - roleattribute patch - -diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index 4a50807..5e914db 100644 ---- a/policy/modules/admin/bootloader.if -+++ b/policy/modules/admin/bootloader.if -@@ -56,11 +56,21 @@ interface(`bootloader_exec',` - # - interface(`bootloader_run',` - gen_require(` -- attribute_role bootloader_roles; -+ type bootloader_t; -+ #attribute_role bootloader_roles; - ') - -+ #bootloader_domtrans($1) -+ #roleattribute $2 bootloader_roles; -+ - bootloader_domtrans($1) -- roleattribute $2 bootloader_roles; -+ -+ role $2 types bootloader_t; -+ -+ ifdef(`distro_redhat',` -+ # for mke2fs -+ mount_run(bootloader_t, $2) -+ ') - ') - - ######################################## -diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 81a08e4..e717a21 100644 ---- a/policy/modules/admin/bootloader.te -+++ b/policy/modules/admin/bootloader.te -@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) - # Declarations - # - --attribute_role bootloader_roles; --roleattribute system_r bootloader_roles; -+#attribute_role bootloader_roles; -+#roleattribute system_r bootloader_roles; - - # - # boot_runtime_t is the type for /boot/kernel.h, -@@ -19,7 +19,8 @@ files_type(boot_runtime_t) - type bootloader_t; - type bootloader_exec_t; - application_domain(bootloader_t, bootloader_exec_t) --role bootloader_roles types bootloader_t; -+#role bootloader_roles types bootloader_t; -+role system_r types bootloader_t; - - # - # bootloader_etc_t is the configuration file, -@@ -174,7 +175,8 @@ ifdef(`distro_redhat',` - files_manage_isid_type_chr_files(bootloader_t) - - # for mke2fs -- mount_run(bootloader_t, bootloader_roles) -+ #mount_run(bootloader_t, bootloader_roles) -+ mount_domtrans(bootloader_t) - - optional_policy(` - unconfined_domain(bootloader_t) -diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 4d387af..764260e 100644 ---- a/policy/modules/admin/usermanage.if -+++ b/policy/modules/admin/usermanage.if -@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` - # - interface(`usermanage_run_chfn',` - gen_require(` -- attribute_role chfn_roles; -+ #attribute_role chfn_roles; -+ type chfn_t; - ') - -+ #usermanage_domtrans_chfn($1) -+ #roleattribute $2 chfn_roles; -+ - usermanage_domtrans_chfn($1) -- roleattribute $2 chfn_roles; -+ role $2 types chfn_t; -+ - ') - - ######################################## -@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',` - # - interface(`usermanage_run_groupadd',` - gen_require(` -- attribute_role groupadd_roles; -+ type groupadd_t; -+ #attribute_role groupadd_roles; - ') - -+ #usermanage_domtrans_groupadd($1) -+ #roleattribute $2 groupadd_roles; - usermanage_domtrans_groupadd($1) -- roleattribute $2 groupadd_roles; -+ role $2 types groupadd_t; -+ -+ optional_policy(` -+ nscd_run(groupadd_t, $2) -+ ') -+ - ') - - ######################################## -@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',` - # - interface(`usermanage_run_passwd',` - gen_require(` -- attribute_role passwd_roles; -+ type type passwd_t; -+ #attribute_role passwd_roles; - ') - -+ #usermanage_domtrans_passwd($1) -+ #roleattribute $2 passwd_roles; -+ - usermanage_domtrans_passwd($1) -- roleattribute $2 passwd_roles; -+ role $2 types passwd_t; -+ auth_run_chk_passwd(passwd_t, $2) -+ - ') - - ######################################## -@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',` - # - interface(`usermanage_run_admin_passwd',` - gen_require(` -- attribute_role sysadm_passwd_roles; -+ type sysadm_passwd_t; -+ #attribute_role sysadm_passwd_roles; - ') - -+ #usermanage_domtrans_admin_passwd($1) -+ #roleattribute $2 sysadm_passwd_roles; -+ - usermanage_domtrans_admin_passwd($1) -- roleattribute $2 sysadm_passwd_roles; -+ role $2 types sysadm_passwd_t; -+ -+ optional_policy(` -+ nscd_run(sysadm_passwd_t, $2) -+ ') -+ - ') - - ######################################## -@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',` - # - interface(`usermanage_run_useradd',` - gen_require(` -- attribute_role useradd_roles; -+ #attribute_role useradd_roles; -+ type sysadm_passwd_t; - ') - -- usermanage_domtrans_useradd($1) -- roleattribute $2 useradd_roles; -+ #usermanage_domtrans_useradd($1) -+ #roleattribute $2 useradd_roles; -+ -+ usermanage_domtrans_admin_passwd($1) -+ role $2 types sysadm_passwd_t; -+ -+ optional_policy(` -+ nscd_run(sysadm_passwd_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 446b743..a077b28 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) - # Declarations - # - --attribute_role chfn_roles; --role system_r types chfn_t; -+#attribute_role chfn_roles; -+#role system_r types chfn_t; - --attribute_role groupadd_roles; -+#attribute_role groupadd_roles; - --attribute_role passwd_roles; --roleattribute system_r passwd_roles; -+#attribute_role passwd_roles; -+#roleattribute system_r passwd_roles; - --attribute_role sysadm_passwd_roles; --roleattribute system_r sysadm_passwd_roles; -+#attribute_role sysadm_passwd_roles; -+#roleattribute system_r sysadm_passwd_roles; - --attribute_role useradd_roles; -+#attribute_role useradd_roles; - - type admin_passwd_exec_t; - files_type(admin_passwd_exec_t) -@@ -25,7 +25,8 @@ type chfn_t; - type chfn_exec_t; - domain_obj_id_change_exemption(chfn_t) - application_domain(chfn_t, chfn_exec_t) --role chfn_roles types chfn_t; -+#role chfn_roles types chfn_t; -+role system_r types chfn_t; - - type crack_t; - type crack_exec_t; -@@ -42,18 +43,21 @@ type groupadd_t; - type groupadd_exec_t; - domain_obj_id_change_exemption(groupadd_t) - init_system_domain(groupadd_t, groupadd_exec_t) --role groupadd_roles types groupadd_t; -+#role groupadd_roles types groupadd_t; -+ - - type passwd_t; - type passwd_exec_t; - domain_obj_id_change_exemption(passwd_t) - application_domain(passwd_t, passwd_exec_t) --role passwd_roles types passwd_t; -+#role passwd_roles types passwd_t; -+role system_r types passwd_t; - - type sysadm_passwd_t; - domain_obj_id_change_exemption(sysadm_passwd_t) - application_domain(sysadm_passwd_t, admin_passwd_exec_t) --role sysadm_passwd_roles types sysadm_passwd_t; -+#role sysadm_passwd_roles types sysadm_passwd_t; -+role system_r types sysadm_passwd_t; - - type sysadm_passwd_tmp_t; - files_tmp_file(sysadm_passwd_tmp_t) -@@ -62,7 +66,8 @@ type useradd_t; - type useradd_exec_t; - domain_obj_id_change_exemption(useradd_t) - init_system_domain(useradd_t, useradd_exec_t) --role useradd_roles types useradd_t; -+#role useradd_roles types useradd_t; -+role system_r types useradd_t; - - ######################################## - # -@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t) - dev_read_urand(chfn_t) - dev_dontaudit_getattr_all(chfn_t) - --#auth_manage_passwd(chfn_t) --#auth_use_pam(chfn_t) --auth_run_chk_passwd(chfn_t, chfn_roles) --auth_dontaudit_read_shadow(chfn_t) --auth_use_nsswitch(chfn_t) -+auth_manage_passwd(chfn_t) -+auth_use_pam(chfn_t) -+#auth_run_chk_passwd(chfn_t, chfn_roles) -+#auth_dontaudit_read_shadow(chfn_t) -+#auth_use_nsswitch(chfn_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(chfn_t) -@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t) - - miscfiles_read_localization(groupadd_t) - --auth_run_chk_passwd(groupadd_t, groupadd_roles) -+#auth_run_chk_passwd(groupadd_t, groupadd_roles) -+auth_domtrans_chk_passwd(groupadd_t) - auth_rw_lastlog(groupadd_t) - auth_use_nsswitch(groupadd_t) - auth_manage_passwd(groupadd_t) -@@ -273,7 +279,8 @@ optional_policy(` - ') - - optional_policy(` -- nscd_run(groupadd_t, groupadd_roles) -+# nscd_run(groupadd_t, groupadd_roles) -+ nscd_domtrans(groupadd_t) - ') - - optional_policy(` -@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t) - term_use_all_inherited_terms(passwd_t) - term_getattr_all_ptys(passwd_t) - --#auth_manage_passwd(passwd_t) --#auth_manage_shadow(passwd_t) --#auth_relabel_shadow(passwd_t) --#auth_etc_filetrans_shadow(passwd_t) --#auth_use_pam(passwd_t) -- --auth_run_chk_passwd(passwd_t, passwd_roles) - auth_manage_passwd(passwd_t) - auth_manage_shadow(passwd_t) - auth_relabel_shadow(passwd_t) - auth_etc_filetrans_shadow(passwd_t) --auth_use_nsswitch(passwd_t) -+auth_use_pam(passwd_t) -+ -+#auth_run_chk_passwd(passwd_t, passwd_roles) -+#auth_manage_passwd(passwd_t) -+#auth_manage_shadow(passwd_t) -+#auth_relabel_shadow(passwd_t) -+#auth_etc_filetrans_shadow(passwd_t) -+#auth_use_nsswitch(passwd_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(passwd_t) -@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t) - userdom_stream_connect(passwd_t) - - optional_policy(` -- nscd_run(passwd_t, passwd_roles) -+ #nscd_run(passwd_t, passwd_roles) -+ nscd_domtrans(passwd_t) - ') - - ######################################## -@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) - userdom_dontaudit_search_user_home_content(sysadm_passwd_t) - - optional_policy(` -- nscd_run(sysadm_passwd_t, sysadm_passwd_roles) -+ nscd_domtrans(sysadm_passwd_t) -+ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) - ') - - ######################################## -@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t) - term_use_all_inherited_terms(useradd_t) - term_getattr_all_ptys(useradd_t) - --auth_run_chk_passwd(useradd_t, useradd_roles) -+#auth_run_chk_passwd(useradd_t, useradd_roles) -+auth_domtrans_chk_passwd(useradd_t) - auth_rw_lastlog(useradd_t) - auth_rw_faillog(useradd_t) - auth_use_nsswitch(useradd_t) -@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t) - seutil_read_config(useradd_t) - seutil_read_file_contexts(useradd_t) - seutil_read_default_contexts(useradd_t) --#seutil_domtrans_semanage(useradd_t) --#seutil_domtrans_setfiles(useradd_t) --#seutil_domtrans_loadpolicy(useradd_t) --#seutil_manage_bin_policy(useradd_t) --#seutil_manage_module_store(useradd_t) --#seutil_get_semanage_trans_lock(useradd_t) --#seutil_get_semanage_read_lock(useradd_t) --seutil_run_semanage(useradd_t, useradd_roles) --seutil_run_setfiles(useradd_t, useradd_roles) -+seutil_domtrans_semanage(useradd_t) -+seutil_domtrans_setfiles(useradd_t) -+seutil_domtrans_loadpolicy(useradd_t) -+seutil_manage_bin_policy(useradd_t) -+seutil_manage_module_store(useradd_t) -+seutil_get_semanage_trans_lock(useradd_t) -+seutil_get_semanage_read_lock(useradd_t) -+#seutil_run_semanage(useradd_t, useradd_roles) -+#seutil_run_setfiles(useradd_t, useradd_roles) - - userdom_use_unpriv_users_fds(useradd_t) - # Add/remove user home directories -@@ -576,7 +586,8 @@ optional_policy(` - ') - - optional_policy(` -- nscd_run(useradd_t, useradd_roles) -+ nscd_domtrans(useradd_t) -+# nscd_run(useradd_t, useradd_roles) - ') - - optional_policy(` -diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index 174cfdb..7071460 100644 ---- a/policy/modules/system/iptables.if -+++ b/policy/modules/system/iptables.if -@@ -38,11 +38,22 @@ interface(`iptables_domtrans',` - # - interface(`iptables_run',` - gen_require(` -- attribute_role iptables_roles; -+ #attribute_role iptables_roles; -+ type iptables_t; - ') - -+ #iptables_domtrans($1) -+ #roleattribute $2 iptables_roles; -+ - iptables_domtrans($1) -- roleattribute $2 iptables_roles; -+ role $2 types iptables_t; -+ -+ sysnet_run_ifconfig(iptables_t, $2) -+ -+ optional_policy(` -+ modutils_run_insmod(iptables_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index cc8d773..36e02fa 100644 ---- a/policy/modules/system/iptables.te -+++ b/policy/modules/system/iptables.te -@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0) - # Declarations - # - --attribute_role iptables_roles; --roleattribute system_r iptables_roles; -+#attribute_role iptables_roles; -+#roleattribute system_r iptables_roles; - - type iptables_t; - type iptables_exec_t; - init_system_domain(iptables_t, iptables_exec_t) --role iptables_roles types iptables_t; -+#role iptables_roles types iptables_t; -+role system_r types iptables_t; - - type iptables_initrc_exec_t; - init_script_file(iptables_initrc_exec_t) -@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t) - - miscfiles_read_localization(iptables_t) - --sysnet_run_ifconfig(iptables_t, iptables_roles) -+#sysnet_run_ifconfig(iptables_t, iptables_roles) -+sysnet_domtrans_ifconfig(iptables_t) - sysnet_dns_name_resolve(iptables_t) - - userdom_use_inherited_user_terminals(iptables_t) -@@ -119,7 +121,8 @@ optional_policy(` - ') - - optional_policy(` -- modutils_run_insmod(iptables_t, iptables_roles) -+ modutils_domtrans_insmod(iptables_t) -+ #modutils_run_insmod(iptables_t, iptables_roles) - ') - - optional_policy(` -diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 786f87a..2debedc 100644 ---- a/policy/modules/system/modutils.if -+++ b/policy/modules/system/modutils.if -@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',` - # - interface(`modutils_run_update_mods',` - gen_require(` -- attribute_role update_modules_roles; -+ #attribute_role update_modules_roles; -+ type update_modules_t; - ') - -+ #modutils_domtrans_update_mods($1) -+ #roleattribute $2 update_modules_roles; -+ - modutils_domtrans_update_mods($1) -- roleattribute $2 update_modules_roles; -+ role $2 types update_modules_t; -+ -+ modutils_run_insmod(update_modules_t, $2) -+ - ') - - ######################################## -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index b83608d..86a7107 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) - # Declarations - # - --attribute_role update_modules_roles; -+#attribute_role update_modules_roles; - - type depmod_t; - type depmod_exec_t; -@@ -30,8 +30,9 @@ files_type(modules_dep_t) - type update_modules_t; - type update_modules_exec_t; - init_system_domain(update_modules_t, update_modules_exec_t) --roleattribute system_r update_modules_roles; --role update_modules_roles types update_modules_t; -+#roleattribute system_r update_modules_roles; -+#role update_modules_roles types update_modules_t; -+role system_r types update_modules_t; - - type update_modules_tmp_t; - files_tmp_file(update_modules_tmp_t) -@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t) - - miscfiles_read_localization(update_modules_t) - --modutils_run_insmod(update_modules_t, update_modules_roles) -+#modutils_run_insmod(update_modules_t, update_modules_roles) - - userdom_use_inherited_user_terminals(update_modules_t) - userdom_dontaudit_search_user_home_dirs(update_modules_t) -diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 52e78b8..4881d86 100644 ---- a/policy/modules/system/mount.if -+++ b/policy/modules/system/mount.if -@@ -44,11 +44,36 @@ interface(`mount_domtrans',` - # - interface(`mount_run',` - gen_require(` -- attribute_role mount_roles; -+ #attribute_role mount_roles; -+ type mount_t; - ') - -+ #mount_domtrans($1) -+ #roleattribute $2 mount_roles; -+ - mount_domtrans($1) -- roleattribute $2 mount_roles; -+ role $2 types mount_t; -+ -+ optional_policy(` -+ fstools_run(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ lvm_run(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ modutils_run_insmod(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ rpc_run_rpcd(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ samba_run_smbmount(mount_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index cc76452..14320fe 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2) - ## - gen_tunable(allow_mount_anyfile, false) - --attribute_role mount_roles; --roleattribute system_r mount_roles; -+#attribute_role mount_roles; -+#roleattribute system_r mount_roles; - - type mount_t; - type mount_exec_t; - init_system_domain(mount_t, mount_exec_t) --role mount_roles types mount_t; -+#role mount_roles types mount_t; -+role system_r types mount_t; - - type fusermount_exec_t; - domain_entry_file(mount_t, fusermount_exec_t) -@@ -286,25 +287,28 @@ optional_policy(` - - # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 - optional_policy(` -- lvm_run(mount_t, mount_roles) -+# lvm_run(mount_t, mount_roles) -+ lvm_domtrans(mount_t) - ') - - optional_policy(` -- modutils_run_insmod(mount_t, mount_roles) -+ #modutils_run_insmod(mount_t, mount_roles) -+ modutils_domtrans_insmod(mount_t) - modutils_read_module_deps(mount_t) - ') - - optional_policy(` -- fstools_run(mount_t, mount_roles) -+ fstools_domtrans(mount_t) -+ #fstools_run(mount_t, mount_roles) - ') - - optional_policy(` - rhcs_stream_connect_gfs_controld(mount_t) - ') - --optional_policy(` -- rpc_run_rpcd(mount_t, mount_roles) --') -+#optional_policy(` -+# rpc_run_rpcd(mount_t, mount_roles) -+#') - - # for kernel package installation - optional_policy(` -@@ -314,7 +318,8 @@ optional_policy(` - - optional_policy(` - samba_read_config(mount_t) -- samba_run_smbmount(mount_t, mount_roles) -+ samba_domtrans_smbmount(mount_t) -+ #samba_run_smbmount(mount_t, mount_roles) - ') - - optional_policy(` -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index a853819..cebf588 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` - # - interface(`seutil_run_newrole',` - gen_require(` -- attribute_role newrole_roles; -+ type newrole_t; -+ #attribute_role newrole_roles; - ') - -+ #seutil_domtrans_newrole($1) -+ #roleattribute $2 newrole_roles; -+ - seutil_domtrans_newrole($1) -- roleattribute $2 newrole_roles; -+ role $2 types newrole_t; -+ -+ auth_run_upd_passwd(newrole_t, $2) -+ -+ optional_policy(` -+ namespace_init_run(newrole_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 2aee0c0..4c24e3e 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy; - attribute setfiles_domain; - attribute seutil_semanage_domain; - --attribute_role newrole_roles; -+#attribute_role newrole_roles; - - attribute_role run_init_roles; - role system_r types run_init_t; -@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t) - domain_role_change_exemption(newrole_t) - domain_obj_id_change_exemption(newrole_t) - domain_interactive_fd(newrole_t) --role newrole_roles types newrole_t; -+#role newrole_roles types newrole_t; -+role system_r types newrole_t; - - # - # policy_config_t is the type of /etc/security/selinux/* -@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t) - term_getattr_unallocated_ttys(newrole_t) - term_dontaudit_use_unallocated_ttys(newrole_t) - --auth_use_nsswitch(newrole_t) --auth_run_chk_passwd(newrole_t, newrole_roles) --auth_run_upd_passwd(newrole_t, newrole_roles) --auth_rw_faillog(newrole_t) -+#auth_use_nsswitch(newrole_t) -+#auth_run_chk_passwd(newrole_t, newrole_roles) -+#auth_run_upd_passwd(newrole_t, newrole_roles) -+#auth_rw_faillog(newrole_t) -+auth_use_pam(newrole_t) - - # Write to utmp. - init_rw_utmp(newrole_t) -@@ -322,9 +324,9 @@ optional_policy(` - dbus_system_bus_client(newrole_t) - ') - --optional_policy(` -- namespace_init_run(newrole_t, newrole_roles) --') -+#optional_policy(` -+# namespace_init_run(newrole_t, newrole_roles) -+#') - - - optional_policy(` -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 7b08f77..949fdcc 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` - # - interface(`sysnet_run_dhcpc',` - gen_require(` -- attribute_role dhcpc_roles; -+ type dhcpc_t; -+ #attribute_role dhcpc_roles; - ') - -+ #sysnet_domtrans_dhcpc($1) -+ #roleattribute $2 dhcpc_roles; -+ - sysnet_domtrans_dhcpc($1) -- roleattribute $2 dhcpc_roles; -+ role $2 types dhcpc_t; -+ -+ modutils_run_insmod(dhcpc_t, $2) -+ -+ sysnet_run_ifconfig(dhcpc_t, $2) -+ -+ optional_policy(` -+ hostname_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ netutils_run(dhcpc_t, $2) -+ netutils_run_ping(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ networkmanager_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nis_run_ypbind(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nscd_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ ntp_run(dhcpc_t, $2) -+ ') -+ -+ seutil_run_setfiles(dhcpc_t, $2) -+ - ') - - ######################################## -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 2d2b6ef..1bfcd4f 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2) - ## - gen_tunable(dhcpc_exec_iptables, false) - --attribute_role dhcpc_roles; --roleattribute system_r dhcpc_roles; -+#attribute_role dhcpc_roles; -+#roleattribute system_r dhcpc_roles; - - # this is shared between dhcpc and dhcpd: - type dhcp_etc_t; -@@ -27,7 +27,8 @@ files_type(dhcp_state_t) - type dhcpc_t; - type dhcpc_exec_t; - init_daemon_domain(dhcpc_t, dhcpc_exec_t) --role dhcpc_roles types dhcpc_t; -+#role dhcpc_roles types dhcpc_t; -+role system_r types dhcpc_t; - - type dhcpc_helper_exec_t; - init_script_file(dhcpc_helper_exec_t) -@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t) - miscfiles_read_generic_certs(dhcpc_t) - miscfiles_read_localization(dhcpc_t) - --modutils_run_insmod(dhcpc_t, dhcpc_roles) -+#modutils_run_insmod(dhcpc_t, dhcpc_roles) -+modutils_domtrans_insmod(dhcpc_t) -+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) - --sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) - - userdom_use_user_terminals(dhcpc_t) - userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',` - ') - ') - --optional_policy(` -- consoletype_run(dhcpc_t, dhcpc_roles) --') -+#optional_policy(` -+# consoletype_run(dhcpc_t, dhcpc_roles) -+#') - - optional_policy(` - chronyd_initrc_domtrans(dhcpc_t) -@@ -203,7 +205,8 @@ optional_policy(` - ') - - optional_policy(` -- hostname_run(dhcpc_t, dhcpc_roles) -+ hostname_domtrans(dhcpc_t) -+# hostname_run(dhcpc_t, dhcpc_roles) - ') - - optional_policy(` -commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1 -Author: Miroslav Grepl -Date: Thu Jun 7 02:26:53 2012 +0200 - - roleattribute patch for passwd_t - -diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 764260e..da75471 100644 ---- a/policy/modules/admin/usermanage.if -+++ b/policy/modules/admin/usermanage.if -@@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',` - # - interface(`usermanage_run_passwd',` - gen_require(` -- type type passwd_t; -+ type passwd_t; - #attribute_role passwd_roles; - ') - -commit 0b71245f63ddbb6ca00790fa5318db798286d8d8 -Author: Miroslav Grepl -Date: Thu Jun 7 02:38:28 2012 +0200 - - Fix also for sysnetwork.te - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 1bfcd4f..3a94d52 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -226,8 +226,10 @@ optional_policy(` - - # for the dhcp client to run ping to check IP addresses - optional_policy(` -- netutils_run_ping(dhcpc_t, dhcpc_roles) -- netutils_run(dhcpc_t, dhcpc_roles) -+ #netutils_run_ping(dhcpc_t, dhcpc_roles) -+ #netutils_run(dhcpc_t, dhcpc_roles) -+ netutils_domtrans_ping(dhcpc_t) -+ netutils_domtrans(dhcpc_t - ',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; -commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a -Author: Miroslav Grepl -Date: Thu Jun 7 02:41:48 2012 +0200 - - Other - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 3a94d52..6a6f03f 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -229,7 +229,7 @@ optional_policy(` - #netutils_run_ping(dhcpc_t, dhcpc_roles) - #netutils_run(dhcpc_t, dhcpc_roles) - netutils_domtrans_ping(dhcpc_t) -- netutils_domtrans(dhcpc_t -+ netutils_domtrans(dhcpc_t) - ',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; -commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06 -Author: Miroslav Grepl -Date: Thu Jun 7 08:10:01 2012 +0200 - - Fix passwd - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index a077b28..396909c 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t) - mls_file_upgrade(useradd_t) - mls_process_read_to_clearance(useradd_t) - --seutil_semanage_policy(useradd_t) --seutil_manage_file_contexts(useradd_t) --seutil_manage_config(useradd_t) --seutil_manage_default_contexts(useradd_t) -- - term_use_all_inherited_terms(useradd_t) - term_getattr_all_ptys(useradd_t) - -@@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t) - - miscfiles_read_localization(useradd_t) - -+seutil_semanage_policy(useradd_t) -+seutil_manage_file_contexts(useradd_t) -+seutil_manage_config(useradd_t) -+seutil_manage_default_contexts(useradd_t) -+ - seutil_read_config(useradd_t) - seutil_read_file_contexts(useradd_t) - seutil_read_default_contexts(useradd_t) - seutil_domtrans_semanage(useradd_t) - seutil_domtrans_setfiles(useradd_t) - seutil_domtrans_loadpolicy(useradd_t) --seutil_manage_bin_policy(useradd_t) --seutil_manage_module_store(useradd_t) -+#seutil_manage_bin_policy(useradd_t) -+#seutil_manage_module_store(useradd_t) - seutil_get_semanage_trans_lock(useradd_t) - seutil_get_semanage_read_lock(useradd_t) - #seutil_run_semanage(useradd_t, useradd_roles) -commit db92f5bcb6fe7f86aae12dffe64ec3d920815343 -Author: Miroslav Grepl -Date: Thu Jun 7 08:30:34 2012 +0200 - - Also for semanage_roles - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index cebf588..7e38077 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',` - # - interface(`seutil_run_semanage',` - gen_require(` -- attribute_role semanage_roles; -+ #attribute_role semanage_roles; -+ type semanage_t; - ') - -+ #seutil_domtrans_semanage($1) -+ #roleattribute $2 semanage_roles; -+ - seutil_domtrans_semanage($1) -- roleattribute $2 semanage_roles; -+ seutil_run_setfiles(semanage_t, $2) -+ seutil_run_loadpolicy(semanage_t, $2) -+ role $2 types semanage_t; -+ - ') - - ######################################## -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 4c24e3e..90498cd 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -19,8 +19,8 @@ attribute seutil_semanage_domain; - attribute_role run_init_roles; - role system_r types run_init_t; - --attribute_role semanage_roles; --roleattribute system_r semanage_roles; -+#attribute_role semanage_roles; -+#roleattribute system_r semanage_roles; - - # - # selinux_config_t is the type applied to -@@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t) - dbus_system_domain(semanage_t, semanage_exec_t) - init_daemon_domain(semanage_t, semanage_exec_t) - domain_interactive_fd(semanage_t) --role semanage_roles types semanage_t; -+#role semanage_roles types semanage_t; -+role system_r types semanage_t; - - type setsebool_t; - type setsebool_exec_t; -@@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t) - - seutil_manage_file_contexts(semanage_t) - seutil_manage_config(semanage_t) -- --seutil_run_setfiles(semanage_t, semanage_roles) --seutil_run_loadpolicy(semanage_t, semanage_roles) --seutil_manage_bin_policy(semanage_t) --seutil_use_newrole_fds(semanage_t) --seutil_manage_module_store(semanage_t) --seutil_get_semanage_trans_lock(semanage_t) --seutil_get_semanage_read_lock(semanage_t) -+seutil_domtrans_setfiles(semanage_t) -+ -+#seutil_run_setfiles(semanage_t, semanage_roles) -+#seutil_run_loadpolicy(semanage_t, semanage_roles) -+#seutil_manage_bin_policy(semanage_t) -+#seutil_use_newrole_fds(semanage_t) -+#seutil_manage_module_store(semanage_t) -+#seutil_get_semanage_trans_lock(semanage_t) -+#seutil_get_semanage_read_lock(semanage_t) - # netfilter_contexts: - seutil_manage_default_contexts(semanage_t) - -commit aebf9204ec2a7cfb943327eb3aace2a9b4130769 -Author: Miroslav Grepl -Date: Thu Jun 7 08:38:22 2012 +0200 - - run_init roles - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 7e38077..6903c5e 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` - # - interface(`seutil_run_runinit',` - gen_require(` -- attribute_role run_init_roles; -+ #attribute_role run_init_roles; -+ type run_init_t; -+ role system_r; - ') - -- seutil_domtrans_runinit($1) -- roleattribute $2 run_init_roles; -+ #seutil_domtrans_runinit($1) -+ #roleattribute $2 run_init_roles; -+ -+ auth_run_chk_passwd(run_init_t, $2) -+ seutil_domtrans_runinit($1) -+ role $2 types run_init_t; -+ -+ allow $2 system_r; -+ - ') - - ######################################## -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 90498cd..06b4e9a 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -16,8 +16,8 @@ attribute seutil_semanage_domain; - - #attribute_role newrole_roles; - --attribute_role run_init_roles; --role system_r types run_init_t; -+#attribute_role run_init_roles; -+#role system_r types run_init_t; - - #attribute_role semanage_roles; - #roleattribute system_r semanage_roles; -@@ -102,7 +102,8 @@ type run_init_t; - type run_init_exec_t; - application_domain(run_init_t, run_init_exec_t) - domain_system_change_exemption(run_init_t) --role run_init_roles types run_init_t; -+#role run_init_roles types run_init_t; -+role system_r types run_init_t; - - type semanage_t; - type semanage_exec_t; -@@ -412,7 +413,7 @@ optional_policy(` - # Run_init local policy - # - --allow run_init_roles system_r; -+#allow run_init_roles system_r; - - allow run_init_t self:process setexec; - allow run_init_t self:capability setuid; -@@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t) - - term_use_console(run_init_t) - -+#auth_use_nsswitch(run_init_t) -+#auth_run_chk_passwd(run_init_t, run_init_roles) -+#auth_run_upd_passwd(run_init_t, run_init_roles) -+#auth_dontaudit_read_shadow(run_init_t) -+ - auth_use_nsswitch(run_init_t) --auth_run_chk_passwd(run_init_t, run_init_roles) --auth_run_upd_passwd(run_init_t, run_init_roles) -+auth_domtrans_chk_passwd(run_init_t) -+auth_domtrans_upd_passwd(run_init_t) - auth_dontaudit_read_shadow(run_init_t) - -+ - init_spec_domtrans_script(run_init_t) - # for utmp - init_rw_utmp(run_init_t) -commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5 -Author: Miroslav Grepl -Date: Thu Jun 7 10:01:51 2012 +0200 - - One more for run_init - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 6903c5e..b64a37a 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -502,11 +502,19 @@ interface(`seutil_run_runinit',` - # - interface(`seutil_init_script_run_runinit',` - gen_require(` -- attribute_role run_init_roles; -+ #attribute_role run_init_roles; -+ type run_init_t; -+ role system_r; - ') - -- seutil_init_script_domtrans_runinit($1) -- roleattribute $2 run_init_roles; -+ #seutil_init_script_domtrans_runinit($1) -+ #roleattribute $2 run_init_roles; -+ auth_run_chk_passwd(run_init_t, $2) -+ seutil_init_script_domtrans_runinit($1) -+ role $2 types run_init_t; -+ -+ allow $2 system_r; -+ - ') - - ######################################## diff --git a/policy_contrib-rawhide-roleattribute.patch b/policy_contrib-rawhide-roleattribute.patch deleted file mode 100644 index cbdb104..0000000 --- a/policy_contrib-rawhide-roleattribute.patch +++ /dev/null @@ -1,854 +0,0 @@ -commit f53f820fe366940d4fdecaef80de4e5b1178fac6 -Author: Miroslav Grepl -Date: Thu Jun 7 01:38:59 2012 +0200 - - roleattribute patch - -diff --git a/livecd.if b/livecd.if -index bfbf676..fb7869e 100644 ---- a/livecd.if -+++ b/livecd.if -@@ -38,12 +38,19 @@ interface(`livecd_run',` - gen_require(` - type livecd_t; - type livecd_exec_t; -- attribute_role livecd_roles; -+ #attribute_role livecd_roles; - ') - - livecd_domtrans($1) -- roleattribute $2 livecd_roles; -+ #roleattribute $2 livecd_roles; -+ role $2 types livecd_t; - role_transition $2 livecd_exec_t system_r; -+ -+ seutil_run_setfiles_mac(livecd_t, system_r) -+ -+ optional_policy(` -+ mount_run(livecd_t, $2) -+ ') - ') - - ######################################## -diff --git a/livecd.te b/livecd.te -index 65efdae..7a944b5 100644 ---- a/livecd.te -+++ b/livecd.te -@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) - # Declarations - # - --attribute_role livecd_roles; --roleattribute system_r livecd_roles; -+#attribute_role livecd_roles; -+#roleattribute system_r livecd_roles; - - type livecd_t; - type livecd_exec_t; - application_domain(livecd_t, livecd_exec_t) --role livecd_roles types livecd_t; -+role system_r types livecd_t; -+#role livecd_roles types livecd_t; - - type livecd_tmp_t; - files_tmp_file(livecd_tmp_t) -@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t) - - sysnet_filetrans_named_content(livecd_t) - --optional_policy(` -- mount_run(livecd_t, livecd_roles) -- seutil_run_setfiles_mac(livecd_t, livecd_roles) --') -+#optional_policy(` -+# mount_run(livecd_t, livecd_roles) -+# seutil_run_setfiles_mac(livecd_t, livecd_roles) -+#') - - optional_policy(` - ssh_filetrans_admin_home_content(livecd_t) -diff --git a/mozilla.if b/mozilla.if -index 30b0241..30bfefb 100644 ---- a/mozilla.if -+++ b/mozilla.if -@@ -18,10 +18,11 @@ - interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; -- attribute_role mozilla_roles; -+ #attribute_role mozilla_roles; - ') - -- roleattribute $1 mozilla_roles; -+ #roleattribute $1 mozilla_roles; -+ role $1 types mozilla_t; - - domain_auto_trans($2, mozilla_exec_t, mozilla_t) - # Unrestricted inheritance from the caller. -@@ -47,6 +48,8 @@ interface(`mozilla_role',` - relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - -+ #should be remove then with adding of roleattribute -+ mozilla_run_plugin(mozilla_t, $1) - mozilla_dbus_chat($2) - - userdom_manage_tmp_role($1, mozilla_t) -@@ -63,7 +66,6 @@ interface(`mozilla_role',` - - mozilla_filetrans_home_content($2) - -- mozilla_dbus_chat($2) - ') - - ######################################## -diff --git a/mozilla.te b/mozilla.te -index 7bf56bf..56700a4 100644 ---- a/mozilla.te -+++ b/mozilla.te -@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false) - ## - gen_tunable(mozilla_plugin_enable_homedirs, false) - --attribute_role mozilla_roles; -+#attribute_role mozilla_roles; - - type mozilla_t; - type mozilla_exec_t; - typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; - typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; - userdom_user_application_domain(mozilla_t, mozilla_exec_t) --role mozilla_roles types mozilla_t; -+#role mozilla_roles types mozilla_t; -+role system_r types mozilla_t; - - type mozilla_conf_t; - files_config_file(mozilla_conf_t) -@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t) - type mozilla_plugin_t; - type mozilla_plugin_exec_t; - application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) --role mozilla_roles types mozilla_plugin_t; -+#role mozilla_roles types mozilla_plugin_t; -+role system_r types mozilla_plugin_t; - - type mozilla_plugin_tmp_t; - userdom_user_tmp_content(mozilla_plugin_tmp_t) -@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t) - type mozilla_plugin_config_t; - type mozilla_plugin_config_exec_t; - application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) --role mozilla_roles types mozilla_plugin_config_t; -+#role mozilla_roles types mozilla_plugin_config_t; -+role system_r types mozilla_plugin_config_t; - - type mozilla_tmp_t; - userdom_user_tmp_file(mozilla_tmp_t) -@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t) - - userdom_use_inherited_user_ptys(mozilla_t) - --mozilla_run_plugin(mozilla_t, mozilla_roles) -+#mozilla_run_plugin(mozilla_t, mozilla_roles) - - xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) - xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -298,7 +301,8 @@ optional_policy(` - ') - - optional_policy(` -- pulseaudio_role(mozilla_roles, mozilla_t) -+ #pulseaudio_role(mozilla_roles, mozilla_t) -+ pulseaudio_exec(mozilla_t) - pulseaudio_stream_connect(mozilla_t) - pulseaudio_manage_home_files(mozilla_t) - ') -@@ -476,9 +480,9 @@ optional_policy(` - java_exec(mozilla_plugin_t) - ') - --optional_policy(` -- lpd_run_lpr(mozilla_plugin_t, mozilla_roles) --') -+#optional_policy(` -+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -+#') - - optional_policy(` - mplayer_exec(mozilla_plugin_t) -diff --git a/ncftool.if b/ncftool.if -index 1520b6c..3a4455f 100644 ---- a/ncftool.if -+++ b/ncftool.if -@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',` - # - interface(`ncftool_run',` - gen_require(` -- attribute_role ncftool_roles; -+ type ncftool_t; -+ #attribute_role ncftool_roles; - ') - -- ncftool_domtrans($1) -- roleattribute $2 ncftool_roles; -+ #ncftool_domtrans($1) -+ #roleattribute $2 ncftool_roles; -+ -+ role $1 types ncftool_t; -+ -+ ncftool_domtrans($2) -+ -+ ps_process_pattern($2, ncftool_t) -+ allow $2 ncftool_t:process signal; - ') - -diff --git a/ncftool.te b/ncftool.te -index 91ab36d..8c48c33 100644 ---- a/ncftool.te -+++ b/ncftool.te -@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0) - # Declarations - # - --attribute_role ncftool_roles; --roleattribute system_r ncftool_roles; -+#attribute_role ncftool_roles; -+#roleattribute system_r ncftool_roles; - - type ncftool_t; - type ncftool_exec_t; - application_domain(ncftool_t, ncftool_exec_t) - domain_obj_id_change_exemption(ncftool_t) - domain_system_change_exemption(ncftool_t) --role ncftool_roles types ncftool_t; -+#role ncftool_roles types ncftool_t; -+role system_r types ncftool_t; - - ######################################## - # -@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t) - - miscfiles_read_localization(ncftool_t) - sysnet_delete_dhcpc_pid(ncftool_t) --sysnet_run_dhcpc(ncftool_t, ncftool_roles) --sysnet_run_ifconfig(ncftool_t, ncftool_roles) -+sysnet_domtrans_dhcpc(ncftool_t) -+sysnet_domtrans_ifconfig(ncftool_t) -+#sysnet_run_dhcpc(ncftool_t, ncftool_roles) -+#sysnet_run_ifconfig(ncftool_t, ncftool_roles) - sysnet_etc_filetrans_config(ncftool_t) - sysnet_manage_config(ncftool_t) - sysnet_read_dhcpc_state(ncftool_t) -@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t) - userdom_use_user_terminals(ncftool_t) - userdom_read_user_tmp_files(ncftool_t) - --optional_policy(` -- brctl_run(ncftool_t, ncftool_roles) --') -+#optional_policy(` -+# brctl_run(ncftool_t, ncftool_roles) -+#') - - optional_policy(` - consoletype_exec(ncftool_t) -@@ -85,9 +88,12 @@ optional_policy(` - - optional_policy(` - modutils_read_module_config(ncftool_t) -- modutils_run_insmod(ncftool_t, ncftool_roles) -+ modutils_domtrans_insmod(ncftool_t) -+ #modutils_run_insmod(ncftool_t, ncftool_roles) -+ - ') - - optional_policy(` -- netutils_run(ncftool_t, ncftool_roles) -+ netutils_domtrans(ncftool_t) -+ #netutils_run(ncftool_t, ncftool_roles) - ') -diff --git a/ppp.if b/ppp.if -index c174b05..a4cad0b 100644 ---- a/ppp.if -+++ b/ppp.if -@@ -175,11 +175,18 @@ interface(`ppp_run_cond',` - # - interface(`ppp_run',` - gen_require(` -- attribute_role pppd_roles; -+ #attribute_role pppd_roles; -+ type pppd_t; - ') - -- ppp_domtrans($1) -- roleattribute $2 pppd_roles; -+ #ppp_domtrans($1) -+ #roleattribute $2 pppd_roles; -+ -+ role $2 types pppd_t; -+ -+ tunable_policy(`pppd_for_user',` -+ ppp_domtrans($1) -+ ') - ') - - ######################################## -diff --git a/ppp.te b/ppp.te -index 17e10a2..92cec2b 100644 ---- a/ppp.te -+++ b/ppp.te -@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) - ## - gen_tunable(pppd_for_user, false) - --attribute_role pppd_roles; -+#attribute_role pppd_roles; - - # pppd_t is the domain for the pppd program. - # pppd_exec_t is the type of the pppd executable. - type pppd_t; - type pppd_exec_t; - init_daemon_domain(pppd_t, pppd_exec_t) --role pppd_roles types pppd_t; -+#role pppd_roles types pppd_t; -+role system_r types pppd_t; - - type pppd_devpts_t; - term_pty(pppd_devpts_t) -@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t) - type pptp_t; - type pptp_exec_t; - init_daemon_domain(pptp_t, pptp_exec_t) --role pppd_roles types pptp_t; -+#role pppd_roles types pptp_t; -+role system_r types pptp_t; - - type pptp_log_t; - logging_log_file(pptp_log_t) -@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t) - init_signal_script(pppd_t) - - auth_use_nsswitch(pppd_t) --auth_run_chk_passwd(pppd_t,pppd_roles) -+auth_domtrans_chk_passwd(pppd_t) -+#auth_run_chk_passwd(pppd_t,pppd_roles) - auth_write_login_records(pppd_t) - - logging_send_syslog_msg(pppd_t) -@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t) - ppp_exec(pppd_t) - - optional_policy(` -- ddclient_run(pppd_t, pppd_roles) -+ #ddclient_run(pppd_t, pppd_roles) -+ ddclient_domtrans(pppd_t) - ') - - optional_policy(` -diff --git a/usernetctl.if b/usernetctl.if -index d45c715..2d4f1ba 100644 ---- a/usernetctl.if -+++ b/usernetctl.if -@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',` - # - interface(`usernetctl_run',` - gen_require(` -- attribute_role usernetctl_roles; -+ type usernetctl_t; -+ #attribute_role usernetctl_roles; - ') - -- usernetctl_domtrans($1) -- roleattribute $2 usernetctl_roles; -+ #usernetctl_domtrans($1) -+ #roleattribute $2 usernetctl_roles; -+ -+ sysnet_run_ifconfig(usernetctl_t, $2) -+ sysnet_run_dhcpc(usernetctl_t, $2) -+ -+ optional_policy(` -+ iptables_run(usernetctl_t, $2) -+ ') -+ -+ optional_policy(` -+ modutils_run_insmod(usernetctl_t, $2) -+ ') -+ -+ optional_policy(` -+ ppp_run(usernetctl_t, $2) -+ ') -+ - ') -diff --git a/usernetctl.te b/usernetctl.te -index 8604c1c..35b12a6 100644 ---- a/usernetctl.te -+++ b/usernetctl.te -@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) - # Declarations - # - --attribute_role usernetctl_roles; -+#attribute_role usernetctl_roles; - - type usernetctl_t; - type usernetctl_exec_t; - application_domain(usernetctl_t, usernetctl_exec_t) - domain_interactive_fd(usernetctl_t) --role usernetctl_roles types usernetctl_t; -+#role usernetctl_roles types usernetctl_t; -+role system_r types usernetctl_t; - - ######################################## - # -@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t) - - userdom_use_inherited_user_terminals(usernetctl_t) - --sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) --sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) -+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) - - optional_policy(` -- consoletype_run(usernetctl_t, usernetctl_roles) -+ #consoletype_run(usernetctl_t, usernetctl_roles) -+ consoletype_exec(usernetctl_t) - ') - - optional_policy(` - hostname_exec(usernetctl_t) - ') - --optional_policy(` -- iptables_run(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# iptables_run(usernetctl_t, usernetctl_roles) -+#') - --optional_policy(` -- modutils_run_insmod(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# modutils_run_insmod(usernetctl_t, usernetctl_roles) -+#') - - optional_policy(` - nis_use_ypbind(usernetctl_t) - ') - --optional_policy(` -- ppp_run(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# ppp_run(usernetctl_t, usernetctl_roles) -+#') -diff --git a/vpn.if b/vpn.if -index 7b93e07..a4e2f60 100644 ---- a/vpn.if -+++ b/vpn.if -@@ -37,11 +37,16 @@ interface(`vpn_domtrans',` - # - interface(`vpn_run',` - gen_require(` -- attribute_role vpnc_roles; -+ #attribute_role vpnc_roles; -+ type vpnc_t; - ') - -+ #vpn_domtrans($1) -+ #roleattribute $2 vpnc_roles; -+ - vpn_domtrans($1) -- roleattribute $2 vpnc_roles; -+ role $2 types vpnc_t; -+ sysnet_run_ifconfig(vpnc_t, $2) - ') - - ######################################## -diff --git a/vpn.te b/vpn.te -index 99fd457..d2585bb 100644 ---- a/vpn.te -+++ b/vpn.te -@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0) - # Declarations - # - --attribute_role vpnc_roles; --roleattribute system_r vpnc_roles; -+#attribute_role vpnc_roles; -+#roleattribute system_r vpnc_roles; - - type vpnc_t; - type vpnc_exec_t; - init_system_domain(vpnc_t, vpnc_exec_t) - application_domain(vpnc_t, vpnc_exec_t) --role vpnc_roles types vpnc_t; -+#role vpnc_roles types vpnc_t; -+role system_r types vpnc_t; - - type vpnc_tmp_t; - files_tmp_file(vpnc_tmp_t) -@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t) - seutil_dontaudit_search_config(vpnc_t) - seutil_use_newrole_fds(vpnc_t) - --sysnet_run_ifconfig(vpnc_t, vpnc_roles) -+#sysnet_run_ifconfig(vpnc_t, vpnc_roles) - sysnet_etc_filetrans_config(vpnc_t) - sysnet_manage_config(vpnc_t) - -commit 88b64bdd71ef734271b9370fc37e02785f354f7f -Author: Miroslav Grepl -Date: Thu Jun 7 02:33:40 2012 +0200 - - Fix ncftool.if - -diff --git a/ncftool.if b/ncftool.if -index 3a4455f..59f096b 100644 ---- a/ncftool.if -+++ b/ncftool.if -@@ -43,11 +43,12 @@ interface(`ncftool_run',` - #ncftool_domtrans($1) - #roleattribute $2 ncftool_roles; - -- role $1 types ncftool_t; -+ ncftool_domtrans($1) -+ role $2 types ncftool_t; - -- ncftool_domtrans($2) -+ optional_policy(` -+ brctl_run(ncftool_t, $2) -+ ') - -- ps_process_pattern($2, ncftool_t) -- allow $2 ncftool_t:process signal; - ') - -commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9 -Author: Miroslav Grepl -Date: Thu Jun 7 10:47:57 2012 +0200 - - roleattriburte temp fixes for portage and dpkg - -diff --git a/dpkg.if b/dpkg.if -index 4d32b42..d945bd0 100644 ---- a/dpkg.if -+++ b/dpkg.if -@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',` - # - interface(`dpkg_run',` - gen_require(` -- attribute_role dpkg_roles; -+ #attribute_role dpkg_roles; -+ type dpkg_t, dpkg_script_t - ') - -+ #dpkg_domtrans($1) -+ #roleattribute $2 dpkg_roles; -+ - dpkg_domtrans($1) -- roleattribute $2 dpkg_roles; -+ role $2 types dpkg_t; -+ role $2 types dpkg_script_t; -+ seutil_run_loadpolicy(dpkg_script_t, $2) -+ - ') - - ######################################## -diff --git a/dpkg.te b/dpkg.te -index a1b8f92..9ac1b80 100644 ---- a/dpkg.te -+++ b/dpkg.te -@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) - # Declarations - # - --attribute_role dpkg_roles; --roleattribute system_r dpkg_roles; -+#attribute_role dpkg_roles; -+#roleattribute system_r dpkg_roles; - - type dpkg_t; - type dpkg_exec_t; -@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t) - domain_role_change_exemption(dpkg_t) - domain_system_change_exemption(dpkg_t) - domain_interactive_fd(dpkg_t) --role dpkg_roles types dpkg_t; -+#role dpkg_roles types dpkg_t; -+role system_r types dpkg_t; - - # lockfile - type dpkg_lock_t; -@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t) - domain_obj_id_change_exemption(dpkg_script_t) - domain_system_change_exemption(dpkg_script_t) - domain_interactive_fd(dpkg_script_t) --role dpkg_roles types dpkg_script_t; -+#role dpkg_roles types dpkg_script_t; -+role system_r types dpkg_script_t; - - type dpkg_script_tmp_t; - files_tmp_file(dpkg_script_tmp_t) -@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t) - init_domtrans_script(dpkg_t) - init_use_script_ptys(dpkg_t) - -+#libs_exec_ld_so(dpkg_t) -+#libs_exec_lib_files(dpkg_t) -+#libs_run_ldconfig(dpkg_t, dpkg_roles) - libs_exec_ld_so(dpkg_t) - libs_exec_lib_files(dpkg_t) --libs_run_ldconfig(dpkg_t, dpkg_roles) -+libs_domtrans_ldconfig(dpkg_t) - - logging_send_syslog_msg(dpkg_t) - -@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t) - files_read_etc_runtime_files(dpkg_t) - files_exec_usr_files(dpkg_t) - miscfiles_read_localization(dpkg_t) --modutils_run_depmod(dpkg_t, dpkg_roles) --modutils_run_insmod(dpkg_t, dpkg_roles) --seutil_run_loadpolicy(dpkg_t, dpkg_roles) --seutil_run_setfiles(dpkg_t, dpkg_roles) -+#modutils_run_depmod(dpkg_t, dpkg_roles) -+#modutils_run_insmod(dpkg_t, dpkg_roles) -+#seutil_run_loadpolicy(dpkg_t, dpkg_roles) -+#seutil_run_setfiles(dpkg_t, dpkg_roles) - userdom_use_all_users_fds(dpkg_t) - optional_policy(` - mta_send_mail(dpkg_t) - ') -+ -+ - optional_policy(` -- usermanage_run_groupadd(dpkg_t, dpkg_roles) -- usermanage_run_useradd(dpkg_t, dpkg_roles) -+ modutils_domtrans_depmod(dpkg_t) -+ modutils_domtrans_insmod(dpkg_t) -+ seutil_domtrans_loadpolicy(dpkg_t) -+ seutil_domtrans_setfiles(dpkg_t) -+ usermanage_domtrans_groupadd(dpkg_t) -+ usermanage_domtrans_useradd(dpkg_t) - ') - -+#optional_policy(` -+# usermanage_run_groupadd(dpkg_t, dpkg_roles) -+# usermanage_run_useradd(dpkg_t, dpkg_roles) -+#') -+ - ######################################## - # - # dpkg-script Local policy -@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t) - - miscfiles_read_localization(dpkg_script_t) - --modutils_run_depmod(dpkg_script_t, dpkg_roles) --modutils_run_insmod(dpkg_script_t, dpkg_roles) -+#modutils_run_depmod(dpkg_script_t, dpkg_roles) -+#modutils_run_insmod(dpkg_script_t, dpkg_roles) - --seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) --seutil_run_setfiles(dpkg_script_t, dpkg_roles) -+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) -+#seutil_run_setfiles(dpkg_script_t, dpkg_roles) - - userdom_use_all_users_fds(dpkg_script_t) - -@@ -319,9 +335,9 @@ optional_policy(` - apt_use_fds(dpkg_script_t) - ') - --optional_policy(` -- bootloader_run(dpkg_script_t, dpkg_roles) --') -+#optional_policy(` -+# bootloader_run(dpkg_script_t, dpkg_roles) -+#') - - optional_policy(` - mta_send_mail(dpkg_script_t) -@@ -335,7 +351,7 @@ optional_policy(` - unconfined_domain(dpkg_script_t) - ') - --optional_policy(` -- usermanage_run_groupadd(dpkg_script_t, dpkg_roles) -- usermanage_run_useradd(dpkg_script_t, dpkg_roles) --') -+#optional_policy(` -+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles) -+# usermanage_run_useradd(dpkg_script_t, dpkg_roles) -+#') -diff --git a/portage.if b/portage.if -index b4bb48a..e5e8f12 100644 ---- a/portage.if -+++ b/portage.if -@@ -43,11 +43,15 @@ interface(`portage_domtrans',` - # - interface(`portage_run',` - gen_require(` -- attribute_role portage_roles; -+ type portage_t, portage_fetch_t, portage_sandbox_t; -+ #attribute_role portage_roles; - ') - -- portage_domtrans($1) -- roleattribute $2 portage_roles; -+ #portage_domtrans($1) -+ #roleattribute $2 portage_roles; -+ portage_domtrans($1) -+ role $2 types { portage_t portage_fetch_t portage_sandbox_t } -+ - ') - - ######################################## -diff --git a/portage.te b/portage.te -index 22bdf7d..f726e1d 100644 ---- a/portage.te -+++ b/portage.te -@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) - ## - gen_tunable(portage_use_nfs, false) - --attribute_role portage_roles; -+#attribute_role portage_roles; - - type gcc_config_t; - type gcc_config_exec_t; -@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t) - domain_obj_id_change_exemption(portage_t) - rsync_entry_type(portage_t) - corecmd_shell_entry_type(portage_t) --role portage_roles types portage_t; -+#role portage_roles types portage_t; -+role system_r types portage_t; - - # portage compile sandbox domain - type portage_sandbox_t; -@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t) - # the shell is the entrypoint if regular sandbox is disabled - # portage_exec_t is the entrypoint if regular sandbox is enabled - corecmd_shell_entry_type(portage_sandbox_t) --role portage_roles types portage_sandbox_t; -+#role portage_roles types portage_sandbox_t; -+role system_r types portage_sandbox_t; - - # portage package fetching domain - type portage_fetch_t; -@@ -41,7 +43,8 @@ type portage_fetch_exec_t; - application_domain(portage_fetch_t, portage_fetch_exec_t) - corecmd_shell_entry_type(portage_fetch_t) - rsync_entry_type(portage_fetch_t) --role portage_roles types portage_fetch_t; -+#role portage_roles types portage_fetch_t; -+role system_r types portage_fetch_t; - - type portage_devpts_t; - term_pty(portage_devpts_t) -@@ -115,7 +118,8 @@ files_list_all(gcc_config_t) - init_dontaudit_read_script_status_files(gcc_config_t) - - libs_read_lib_files(gcc_config_t) --libs_run_ldconfig(gcc_config_t, portage_roles) -+#libs_run_ldconfig(gcc_config_t, portage_roles) -+libs_domtrans_ldconfig(gcc_config_t) - libs_manage_shared_libs(gcc_config_t) - # gcc-config creates a temp dir for the libs - libs_manage_lib_dirs(gcc_config_t) -@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t) - init_exec(portage_t) - - # run setfiles -r --seutil_run_setfiles(portage_t, portage_roles) -+#seutil_run_setfiles(portage_t, portage_roles) - # run semodule --seutil_run_semanage(portage_t, portage_roles) -+#seutil_run_semanage(portage_t, portage_roles) - --portage_run_gcc_config(portage_t, portage_roles) -+#portage_run_gcc_config(portage_t, portage_roles) - # if sesandbox is disabled, compiling is performed in this domain - portage_compile_domain(portage_t) - --optional_policy(` -- bootloader_run(portage_t, portage_roles) --') -+#optional_policy(` -+# bootloader_run(portage_t, portage_roles) -+#') - - optional_policy(` - cron_system_entry(portage_t, portage_exec_t) - cron_system_entry(portage_fetch_t, portage_fetch_exec_t) - ') - --optional_policy(` -- modutils_run_depmod(portage_t, portage_roles) -- modutils_run_update_mods(portage_t, portage_roles) -+#optional_policy(` -+# modutils_run_depmod(portage_t, portage_roles) -+# modutils_run_update_mods(portage_t, portage_roles) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; - ') - --optional_policy(` -- usermanage_run_groupadd(portage_t, portage_roles) -- usermanage_run_useradd(portage_t, portage_roles) --') -+#optional_policy(` -+# usermanage_run_groupadd(portage_t, portage_roles) -+# usermanage_run_useradd(portage_t, portage_roles) -+#') -+ -+seutil_domtrans_setfiles(portage_t) -+seutil_domtrans_semanage(portage_t) -+bootloader_domtrans(portage_t) -+modutils_domtrans_depmod(portage_t) -+modutils_domtrans_update_mods(portage_t) -+usermanage_domtrans_groupadd(portage_t) -+usermanage_domtrans_useradd(portage_t) - - ifdef(`TODO',` - # seems to work ok without these -commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef -Author: Miroslav Grepl -Date: Thu Jun 7 10:52:09 2012 +0200 - - Fix typo - -diff --git a/portage.if b/portage.if -index e5e8f12..7098ded 100644 ---- a/portage.if -+++ b/portage.if -@@ -50,7 +50,7 @@ interface(`portage_run',` - #portage_domtrans($1) - #roleattribute $2 portage_roles; - portage_domtrans($1) -- role $2 types { portage_t portage_fetch_t portage_sandbox_t } -+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }; - - ') - -commit cf999ca29d2a4401c481e28c169e10d676d73526 -Author: Miroslav Grepl -Date: Thu Jun 7 10:59:22 2012 +0200 - - One more typo - -diff --git a/dpkg.if b/dpkg.if -index d945bd0..78736d8 100644 ---- a/dpkg.if -+++ b/dpkg.if -@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',` - interface(`dpkg_run',` - gen_require(` - #attribute_role dpkg_roles; -- type dpkg_t, dpkg_script_t -+ type dpkg_t, dpkg_script_t; - ') - - #dpkg_domtrans($1)