commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b Author: Miroslav Grepl Date: Thu Jun 7 02:18:29 2012 +0200 roleattribute patch diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index 4a50807..5e914db 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -56,11 +56,21 @@ interface(`bootloader_exec',` # interface(`bootloader_run',` gen_require(` - attribute_role bootloader_roles; + type bootloader_t; + #attribute_role bootloader_roles; ') + #bootloader_domtrans($1) + #roleattribute $2 bootloader_roles; + bootloader_domtrans($1) - roleattribute $2 bootloader_roles; + + role $2 types bootloader_t; + + ifdef(`distro_redhat',` + # for mke2fs + mount_run(bootloader_t, $2) + ') ') ######################################## diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 81a08e4..e717a21 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) # Declarations # -attribute_role bootloader_roles; -roleattribute system_r bootloader_roles; +#attribute_role bootloader_roles; +#roleattribute system_r bootloader_roles; # # boot_runtime_t is the type for /boot/kernel.h, @@ -19,7 +19,8 @@ files_type(boot_runtime_t) type bootloader_t; type bootloader_exec_t; application_domain(bootloader_t, bootloader_exec_t) -role bootloader_roles types bootloader_t; +#role bootloader_roles types bootloader_t; +role system_r types bootloader_t; # # bootloader_etc_t is the configuration file, @@ -174,7 +175,8 @@ ifdef(`distro_redhat',` files_manage_isid_type_chr_files(bootloader_t) # for mke2fs - mount_run(bootloader_t, bootloader_roles) + #mount_run(bootloader_t, bootloader_roles) + mount_domtrans(bootloader_t) optional_policy(` unconfined_domain(bootloader_t) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 4d387af..764260e 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` # interface(`usermanage_run_chfn',` gen_require(` - attribute_role chfn_roles; + #attribute_role chfn_roles; + type chfn_t; ') + #usermanage_domtrans_chfn($1) + #roleattribute $2 chfn_roles; + usermanage_domtrans_chfn($1) - roleattribute $2 chfn_roles; + role $2 types chfn_t; + ') ######################################## @@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',` # interface(`usermanage_run_groupadd',` gen_require(` - attribute_role groupadd_roles; + type groupadd_t; + #attribute_role groupadd_roles; ') + #usermanage_domtrans_groupadd($1) + #roleattribute $2 groupadd_roles; usermanage_domtrans_groupadd($1) - roleattribute $2 groupadd_roles; + role $2 types groupadd_t; + + optional_policy(` + nscd_run(groupadd_t, $2) + ') + ') ######################################## @@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',` # interface(`usermanage_run_passwd',` gen_require(` - attribute_role passwd_roles; + type type passwd_t; + #attribute_role passwd_roles; ') + #usermanage_domtrans_passwd($1) + #roleattribute $2 passwd_roles; + usermanage_domtrans_passwd($1) - roleattribute $2 passwd_roles; + role $2 types passwd_t; + auth_run_chk_passwd(passwd_t, $2) + ') ######################################## @@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',` # interface(`usermanage_run_admin_passwd',` gen_require(` - attribute_role sysadm_passwd_roles; + type sysadm_passwd_t; + #attribute_role sysadm_passwd_roles; ') + #usermanage_domtrans_admin_passwd($1) + #roleattribute $2 sysadm_passwd_roles; + usermanage_domtrans_admin_passwd($1) - roleattribute $2 sysadm_passwd_roles; + role $2 types sysadm_passwd_t; + + optional_policy(` + nscd_run(sysadm_passwd_t, $2) + ') + ') ######################################## @@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',` # interface(`usermanage_run_useradd',` gen_require(` - attribute_role useradd_roles; + #attribute_role useradd_roles; + type sysadm_passwd_t; ') - usermanage_domtrans_useradd($1) - roleattribute $2 useradd_roles; + #usermanage_domtrans_useradd($1) + #roleattribute $2 useradd_roles; + + usermanage_domtrans_admin_passwd($1) + role $2 types sysadm_passwd_t; + + optional_policy(` + nscd_run(sysadm_passwd_t, $2) + ') + ') ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 446b743..a077b28 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) # Declarations # -attribute_role chfn_roles; -role system_r types chfn_t; +#attribute_role chfn_roles; +#role system_r types chfn_t; -attribute_role groupadd_roles; +#attribute_role groupadd_roles; -attribute_role passwd_roles; -roleattribute system_r passwd_roles; +#attribute_role passwd_roles; +#roleattribute system_r passwd_roles; -attribute_role sysadm_passwd_roles; -roleattribute system_r sysadm_passwd_roles; +#attribute_role sysadm_passwd_roles; +#roleattribute system_r sysadm_passwd_roles; -attribute_role useradd_roles; +#attribute_role useradd_roles; type admin_passwd_exec_t; files_type(admin_passwd_exec_t) @@ -25,7 +25,8 @@ type chfn_t; type chfn_exec_t; domain_obj_id_change_exemption(chfn_t) application_domain(chfn_t, chfn_exec_t) -role chfn_roles types chfn_t; +#role chfn_roles types chfn_t; +role system_r types chfn_t; type crack_t; type crack_exec_t; @@ -42,18 +43,21 @@ type groupadd_t; type groupadd_exec_t; domain_obj_id_change_exemption(groupadd_t) init_system_domain(groupadd_t, groupadd_exec_t) -role groupadd_roles types groupadd_t; +#role groupadd_roles types groupadd_t; + type passwd_t; type passwd_exec_t; domain_obj_id_change_exemption(passwd_t) application_domain(passwd_t, passwd_exec_t) -role passwd_roles types passwd_t; +#role passwd_roles types passwd_t; +role system_r types passwd_t; type sysadm_passwd_t; domain_obj_id_change_exemption(sysadm_passwd_t) application_domain(sysadm_passwd_t, admin_passwd_exec_t) -role sysadm_passwd_roles types sysadm_passwd_t; +#role sysadm_passwd_roles types sysadm_passwd_t; +role system_r types sysadm_passwd_t; type sysadm_passwd_tmp_t; files_tmp_file(sysadm_passwd_tmp_t) @@ -62,7 +66,8 @@ type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) init_system_domain(useradd_t, useradd_exec_t) -role useradd_roles types useradd_t; +#role useradd_roles types useradd_t; +role system_r types useradd_t; ######################################## # @@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t) dev_read_urand(chfn_t) dev_dontaudit_getattr_all(chfn_t) -#auth_manage_passwd(chfn_t) -#auth_use_pam(chfn_t) -auth_run_chk_passwd(chfn_t, chfn_roles) -auth_dontaudit_read_shadow(chfn_t) -auth_use_nsswitch(chfn_t) +auth_manage_passwd(chfn_t) +auth_use_pam(chfn_t) +#auth_run_chk_passwd(chfn_t, chfn_roles) +#auth_dontaudit_read_shadow(chfn_t) +#auth_use_nsswitch(chfn_t) # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) @@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t) miscfiles_read_localization(groupadd_t) -auth_run_chk_passwd(groupadd_t, groupadd_roles) +#auth_run_chk_passwd(groupadd_t, groupadd_roles) +auth_domtrans_chk_passwd(groupadd_t) auth_rw_lastlog(groupadd_t) auth_use_nsswitch(groupadd_t) auth_manage_passwd(groupadd_t) @@ -273,7 +279,8 @@ optional_policy(` ') optional_policy(` - nscd_run(groupadd_t, groupadd_roles) +# nscd_run(groupadd_t, groupadd_roles) + nscd_domtrans(groupadd_t) ') optional_policy(` @@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t) term_use_all_inherited_terms(passwd_t) term_getattr_all_ptys(passwd_t) -#auth_manage_passwd(passwd_t) -#auth_manage_shadow(passwd_t) -#auth_relabel_shadow(passwd_t) -#auth_etc_filetrans_shadow(passwd_t) -#auth_use_pam(passwd_t) - -auth_run_chk_passwd(passwd_t, passwd_roles) auth_manage_passwd(passwd_t) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) -auth_use_nsswitch(passwd_t) +auth_use_pam(passwd_t) + +#auth_run_chk_passwd(passwd_t, passwd_roles) +#auth_manage_passwd(passwd_t) +#auth_manage_shadow(passwd_t) +#auth_relabel_shadow(passwd_t) +#auth_etc_filetrans_shadow(passwd_t) +#auth_use_nsswitch(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t) userdom_stream_connect(passwd_t) optional_policy(` - nscd_run(passwd_t, passwd_roles) + #nscd_run(passwd_t, passwd_roles) + nscd_domtrans(passwd_t) ') ######################################## @@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) userdom_dontaudit_search_user_home_content(sysadm_passwd_t) optional_policy(` - nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + nscd_domtrans(sysadm_passwd_t) + #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) ') ######################################## @@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t) term_use_all_inherited_terms(useradd_t) term_getattr_all_ptys(useradd_t) -auth_run_chk_passwd(useradd_t, useradd_roles) +#auth_run_chk_passwd(useradd_t, useradd_roles) +auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) @@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t) seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) seutil_read_default_contexts(useradd_t) -#seutil_domtrans_semanage(useradd_t) -#seutil_domtrans_setfiles(useradd_t) -#seutil_domtrans_loadpolicy(useradd_t) -#seutil_manage_bin_policy(useradd_t) -#seutil_manage_module_store(useradd_t) -#seutil_get_semanage_trans_lock(useradd_t) -#seutil_get_semanage_read_lock(useradd_t) -seutil_run_semanage(useradd_t, useradd_roles) -seutil_run_setfiles(useradd_t, useradd_roles) +seutil_domtrans_semanage(useradd_t) +seutil_domtrans_setfiles(useradd_t) +seutil_domtrans_loadpolicy(useradd_t) +seutil_manage_bin_policy(useradd_t) +seutil_manage_module_store(useradd_t) +seutil_get_semanage_trans_lock(useradd_t) +seutil_get_semanage_read_lock(useradd_t) +#seutil_run_semanage(useradd_t, useradd_roles) +#seutil_run_setfiles(useradd_t, useradd_roles) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -576,7 +586,8 @@ optional_policy(` ') optional_policy(` - nscd_run(useradd_t, useradd_roles) + nscd_domtrans(useradd_t) +# nscd_run(useradd_t, useradd_roles) ') optional_policy(` diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 174cfdb..7071460 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -38,11 +38,22 @@ interface(`iptables_domtrans',` # interface(`iptables_run',` gen_require(` - attribute_role iptables_roles; + #attribute_role iptables_roles; + type iptables_t; ') + #iptables_domtrans($1) + #roleattribute $2 iptables_roles; + iptables_domtrans($1) - roleattribute $2 iptables_roles; + role $2 types iptables_t; + + sysnet_run_ifconfig(iptables_t, $2) + + optional_policy(` + modutils_run_insmod(iptables_t, $2) + ') + ') ######################################## diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index cc8d773..36e02fa 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0) # Declarations # -attribute_role iptables_roles; -roleattribute system_r iptables_roles; +#attribute_role iptables_roles; +#roleattribute system_r iptables_roles; type iptables_t; type iptables_exec_t; init_system_domain(iptables_t, iptables_exec_t) -role iptables_roles types iptables_t; +#role iptables_roles types iptables_t; +role system_r types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t) miscfiles_read_localization(iptables_t) -sysnet_run_ifconfig(iptables_t, iptables_roles) +#sysnet_run_ifconfig(iptables_t, iptables_roles) +sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) userdom_use_inherited_user_terminals(iptables_t) @@ -119,7 +121,8 @@ optional_policy(` ') optional_policy(` - modutils_run_insmod(iptables_t, iptables_roles) + modutils_domtrans_insmod(iptables_t) + #modutils_run_insmod(iptables_t, iptables_roles) ') optional_policy(` diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 786f87a..2debedc 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',` # interface(`modutils_run_update_mods',` gen_require(` - attribute_role update_modules_roles; + #attribute_role update_modules_roles; + type update_modules_t; ') + #modutils_domtrans_update_mods($1) + #roleattribute $2 update_modules_roles; + modutils_domtrans_update_mods($1) - roleattribute $2 update_modules_roles; + role $2 types update_modules_t; + + modutils_run_insmod(update_modules_t, $2) + ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index b83608d..86a7107 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) # Declarations # -attribute_role update_modules_roles; +#attribute_role update_modules_roles; type depmod_t; type depmod_exec_t; @@ -30,8 +30,9 @@ files_type(modules_dep_t) type update_modules_t; type update_modules_exec_t; init_system_domain(update_modules_t, update_modules_exec_t) -roleattribute system_r update_modules_roles; -role update_modules_roles types update_modules_t; +#roleattribute system_r update_modules_roles; +#role update_modules_roles types update_modules_t; +role system_r types update_modules_t; type update_modules_tmp_t; files_tmp_file(update_modules_tmp_t) @@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) -modutils_run_insmod(update_modules_t, update_modules_roles) +#modutils_run_insmod(update_modules_t, update_modules_roles) userdom_use_inherited_user_terminals(update_modules_t) userdom_dontaudit_search_user_home_dirs(update_modules_t) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 52e78b8..4881d86 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -44,11 +44,36 @@ interface(`mount_domtrans',` # interface(`mount_run',` gen_require(` - attribute_role mount_roles; + #attribute_role mount_roles; + type mount_t; ') + #mount_domtrans($1) + #roleattribute $2 mount_roles; + mount_domtrans($1) - roleattribute $2 mount_roles; + role $2 types mount_t; + + optional_policy(` + fstools_run(mount_t, $2) + ') + + optional_policy(` + lvm_run(mount_t, $2) + ') + + optional_policy(` + modutils_run_insmod(mount_t, $2) + ') + + optional_policy(` + rpc_run_rpcd(mount_t, $2) + ') + + optional_policy(` + samba_run_smbmount(mount_t, $2) + ') + ') ######################################## diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index cc76452..14320fe 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -12,13 +12,14 @@ policy_module(mount, 1.14.2) ## gen_tunable(allow_mount_anyfile, false) -attribute_role mount_roles; -roleattribute system_r mount_roles; +#attribute_role mount_roles; +#roleattribute system_r mount_roles; type mount_t; type mount_exec_t; init_system_domain(mount_t, mount_exec_t) -role mount_roles types mount_t; +#role mount_roles types mount_t; +role system_r types mount_t; type fusermount_exec_t; domain_entry_file(mount_t, fusermount_exec_t) @@ -286,25 +287,28 @@ optional_policy(` # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 optional_policy(` - lvm_run(mount_t, mount_roles) +# lvm_run(mount_t, mount_roles) + lvm_domtrans(mount_t) ') optional_policy(` - modutils_run_insmod(mount_t, mount_roles) + #modutils_run_insmod(mount_t, mount_roles) + modutils_domtrans_insmod(mount_t) modutils_read_module_deps(mount_t) ') optional_policy(` - fstools_run(mount_t, mount_roles) + fstools_domtrans(mount_t) + #fstools_run(mount_t, mount_roles) ') optional_policy(` rhcs_stream_connect_gfs_controld(mount_t) ') -optional_policy(` - rpc_run_rpcd(mount_t, mount_roles) -') +#optional_policy(` +# rpc_run_rpcd(mount_t, mount_roles) +#') # for kernel package installation optional_policy(` @@ -314,7 +318,8 @@ optional_policy(` optional_policy(` samba_read_config(mount_t) - samba_run_smbmount(mount_t, mount_roles) + samba_domtrans_smbmount(mount_t) + #samba_run_smbmount(mount_t, mount_roles) ') optional_policy(` diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index a853819..cebf588 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` # interface(`seutil_run_newrole',` gen_require(` - attribute_role newrole_roles; + type newrole_t; + #attribute_role newrole_roles; ') + #seutil_domtrans_newrole($1) + #roleattribute $2 newrole_roles; + seutil_domtrans_newrole($1) - roleattribute $2 newrole_roles; + role $2 types newrole_t; + + auth_run_upd_passwd(newrole_t, $2) + + optional_policy(` + namespace_init_run(newrole_t, $2) + ') + ') ######################################## diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 2aee0c0..4c24e3e 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy; attribute setfiles_domain; attribute seutil_semanage_domain; -attribute_role newrole_roles; +#attribute_role newrole_roles; attribute_role run_init_roles; role system_r types run_init_t; @@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_interactive_fd(newrole_t) -role newrole_roles types newrole_t; +#role newrole_roles types newrole_t; +role system_r types newrole_t; # # policy_config_t is the type of /etc/security/selinux/* @@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) -auth_use_nsswitch(newrole_t) -auth_run_chk_passwd(newrole_t, newrole_roles) -auth_run_upd_passwd(newrole_t, newrole_roles) -auth_rw_faillog(newrole_t) +#auth_use_nsswitch(newrole_t) +#auth_run_chk_passwd(newrole_t, newrole_roles) +#auth_run_upd_passwd(newrole_t, newrole_roles) +#auth_rw_faillog(newrole_t) +auth_use_pam(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) @@ -322,9 +324,9 @@ optional_policy(` dbus_system_bus_client(newrole_t) ') -optional_policy(` - namespace_init_run(newrole_t, newrole_roles) -') +#optional_policy(` +# namespace_init_run(newrole_t, newrole_roles) +#') optional_policy(` diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 7b08f77..949fdcc 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` # interface(`sysnet_run_dhcpc',` gen_require(` - attribute_role dhcpc_roles; + type dhcpc_t; + #attribute_role dhcpc_roles; ') + #sysnet_domtrans_dhcpc($1) + #roleattribute $2 dhcpc_roles; + sysnet_domtrans_dhcpc($1) - roleattribute $2 dhcpc_roles; + role $2 types dhcpc_t; + + modutils_run_insmod(dhcpc_t, $2) + + sysnet_run_ifconfig(dhcpc_t, $2) + + optional_policy(` + hostname_run(dhcpc_t, $2) + ') + + optional_policy(` + netutils_run(dhcpc_t, $2) + netutils_run_ping(dhcpc_t, $2) + ') + + optional_policy(` + networkmanager_run(dhcpc_t, $2) + ') + + optional_policy(` + nis_run_ypbind(dhcpc_t, $2) + ') + + optional_policy(` + nscd_run(dhcpc_t, $2) + ') + + optional_policy(` + ntp_run(dhcpc_t, $2) + ') + + seutil_run_setfiles(dhcpc_t, $2) + ') ######################################## diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 2d2b6ef..1bfcd4f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2) ## gen_tunable(dhcpc_exec_iptables, false) -attribute_role dhcpc_roles; -roleattribute system_r dhcpc_roles; +#attribute_role dhcpc_roles; +#roleattribute system_r dhcpc_roles; # this is shared between dhcpc and dhcpd: type dhcp_etc_t; @@ -27,7 +27,8 @@ files_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; init_daemon_domain(dhcpc_t, dhcpc_exec_t) -role dhcpc_roles types dhcpc_t; +#role dhcpc_roles types dhcpc_t; +role system_r types dhcpc_t; type dhcpc_helper_exec_t; init_script_file(dhcpc_helper_exec_t) @@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t) miscfiles_read_generic_certs(dhcpc_t) miscfiles_read_localization(dhcpc_t) -modutils_run_insmod(dhcpc_t, dhcpc_roles) +#modutils_run_insmod(dhcpc_t, dhcpc_roles) +modutils_domtrans_insmod(dhcpc_t) +#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) -sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) @@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',` ') ') -optional_policy(` - consoletype_run(dhcpc_t, dhcpc_roles) -') +#optional_policy(` +# consoletype_run(dhcpc_t, dhcpc_roles) +#') optional_policy(` chronyd_initrc_domtrans(dhcpc_t) @@ -203,7 +205,8 @@ optional_policy(` ') optional_policy(` - hostname_run(dhcpc_t, dhcpc_roles) + hostname_domtrans(dhcpc_t) +# hostname_run(dhcpc_t, dhcpc_roles) ') optional_policy(` commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1 Author: Miroslav Grepl Date: Thu Jun 7 02:26:53 2012 +0200 roleattribute patch for passwd_t diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 764260e..da75471 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',` # interface(`usermanage_run_passwd',` gen_require(` - type type passwd_t; + type passwd_t; #attribute_role passwd_roles; ') commit 0b71245f63ddbb6ca00790fa5318db798286d8d8 Author: Miroslav Grepl Date: Thu Jun 7 02:38:28 2012 +0200 Fix also for sysnetwork.te diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 1bfcd4f..3a94d52 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -226,8 +226,10 @@ optional_policy(` # for the dhcp client to run ping to check IP addresses optional_policy(` - netutils_run_ping(dhcpc_t, dhcpc_roles) - netutils_run(dhcpc_t, dhcpc_roles) + #netutils_run_ping(dhcpc_t, dhcpc_roles) + #netutils_run(dhcpc_t, dhcpc_roles) + netutils_domtrans_ping(dhcpc_t) + netutils_domtrans(dhcpc_t ',` allow dhcpc_t self:capability setuid; allow dhcpc_t self:rawip_socket create_socket_perms; commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a Author: Miroslav Grepl Date: Thu Jun 7 02:41:48 2012 +0200 Other diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3a94d52..6a6f03f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -229,7 +229,7 @@ optional_policy(` #netutils_run_ping(dhcpc_t, dhcpc_roles) #netutils_run(dhcpc_t, dhcpc_roles) netutils_domtrans_ping(dhcpc_t) - netutils_domtrans(dhcpc_t + netutils_domtrans(dhcpc_t) ',` allow dhcpc_t self:capability setuid; allow dhcpc_t self:rawip_socket create_socket_perms; commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06 Author: Miroslav Grepl Date: Thu Jun 7 08:10:01 2012 +0200 Fix passwd diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index a077b28..396909c 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) mls_process_read_to_clearance(useradd_t) -seutil_semanage_policy(useradd_t) -seutil_manage_file_contexts(useradd_t) -seutil_manage_config(useradd_t) -seutil_manage_default_contexts(useradd_t) - term_use_all_inherited_terms(useradd_t) term_getattr_all_ptys(useradd_t) @@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t) miscfiles_read_localization(useradd_t) +seutil_semanage_policy(useradd_t) +seutil_manage_file_contexts(useradd_t) +seutil_manage_config(useradd_t) +seutil_manage_default_contexts(useradd_t) + seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) seutil_read_default_contexts(useradd_t) seutil_domtrans_semanage(useradd_t) seutil_domtrans_setfiles(useradd_t) seutil_domtrans_loadpolicy(useradd_t) -seutil_manage_bin_policy(useradd_t) -seutil_manage_module_store(useradd_t) +#seutil_manage_bin_policy(useradd_t) +#seutil_manage_module_store(useradd_t) seutil_get_semanage_trans_lock(useradd_t) seutil_get_semanage_read_lock(useradd_t) #seutil_run_semanage(useradd_t, useradd_roles) commit db92f5bcb6fe7f86aae12dffe64ec3d920815343 Author: Miroslav Grepl Date: Thu Jun 7 08:30:34 2012 +0200 Also for semanage_roles diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index cebf588..7e38077 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',` # interface(`seutil_run_semanage',` gen_require(` - attribute_role semanage_roles; + #attribute_role semanage_roles; + type semanage_t; ') + #seutil_domtrans_semanage($1) + #roleattribute $2 semanage_roles; + seutil_domtrans_semanage($1) - roleattribute $2 semanage_roles; + seutil_run_setfiles(semanage_t, $2) + seutil_run_loadpolicy(semanage_t, $2) + role $2 types semanage_t; + ') ######################################## diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 4c24e3e..90498cd 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -19,8 +19,8 @@ attribute seutil_semanage_domain; attribute_role run_init_roles; role system_r types run_init_t; -attribute_role semanage_roles; -roleattribute system_r semanage_roles; +#attribute_role semanage_roles; +#roleattribute system_r semanage_roles; # # selinux_config_t is the type applied to @@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t) dbus_system_domain(semanage_t, semanage_exec_t) init_daemon_domain(semanage_t, semanage_exec_t) domain_interactive_fd(semanage_t) -role semanage_roles types semanage_t; +#role semanage_roles types semanage_t; +role system_r types semanage_t; type setsebool_t; type setsebool_exec_t; @@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) - -seutil_run_setfiles(semanage_t, semanage_roles) -seutil_run_loadpolicy(semanage_t, semanage_roles) -seutil_manage_bin_policy(semanage_t) -seutil_use_newrole_fds(semanage_t) -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) +seutil_domtrans_setfiles(semanage_t) + +#seutil_run_setfiles(semanage_t, semanage_roles) +#seutil_run_loadpolicy(semanage_t, semanage_roles) +#seutil_manage_bin_policy(semanage_t) +#seutil_use_newrole_fds(semanage_t) +#seutil_manage_module_store(semanage_t) +#seutil_get_semanage_trans_lock(semanage_t) +#seutil_get_semanage_read_lock(semanage_t) # netfilter_contexts: seutil_manage_default_contexts(semanage_t) commit aebf9204ec2a7cfb943327eb3aace2a9b4130769 Author: Miroslav Grepl Date: Thu Jun 7 08:38:22 2012 +0200 run_init roles diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 7e38077..6903c5e 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` # interface(`seutil_run_runinit',` gen_require(` - attribute_role run_init_roles; + #attribute_role run_init_roles; + type run_init_t; + role system_r; ') - seutil_domtrans_runinit($1) - roleattribute $2 run_init_roles; + #seutil_domtrans_runinit($1) + #roleattribute $2 run_init_roles; + + auth_run_chk_passwd(run_init_t, $2) + seutil_domtrans_runinit($1) + role $2 types run_init_t; + + allow $2 system_r; + ') ######################################## diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 90498cd..06b4e9a 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -16,8 +16,8 @@ attribute seutil_semanage_domain; #attribute_role newrole_roles; -attribute_role run_init_roles; -role system_r types run_init_t; +#attribute_role run_init_roles; +#role system_r types run_init_t; #attribute_role semanage_roles; #roleattribute system_r semanage_roles; @@ -102,7 +102,8 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) -role run_init_roles types run_init_t; +#role run_init_roles types run_init_t; +role system_r types run_init_t; type semanage_t; type semanage_exec_t; @@ -412,7 +413,7 @@ optional_policy(` # Run_init local policy # -allow run_init_roles system_r; +#allow run_init_roles system_r; allow run_init_t self:process setexec; allow run_init_t self:capability setuid; @@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t) term_use_console(run_init_t) +#auth_use_nsswitch(run_init_t) +#auth_run_chk_passwd(run_init_t, run_init_roles) +#auth_run_upd_passwd(run_init_t, run_init_roles) +#auth_dontaudit_read_shadow(run_init_t) + auth_use_nsswitch(run_init_t) -auth_run_chk_passwd(run_init_t, run_init_roles) -auth_run_upd_passwd(run_init_t, run_init_roles) +auth_domtrans_chk_passwd(run_init_t) +auth_domtrans_upd_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) + init_spec_domtrans_script(run_init_t) # for utmp init_rw_utmp(run_init_t) commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5 Author: Miroslav Grepl Date: Thu Jun 7 10:01:51 2012 +0200 One more for run_init diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 6903c5e..b64a37a 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -502,11 +502,19 @@ interface(`seutil_run_runinit',` # interface(`seutil_init_script_run_runinit',` gen_require(` - attribute_role run_init_roles; + #attribute_role run_init_roles; + type run_init_t; + role system_r; ') - seutil_init_script_domtrans_runinit($1) - roleattribute $2 run_init_roles; + #seutil_init_script_domtrans_runinit($1) + #roleattribute $2 run_init_roles; + auth_run_chk_passwd(run_init_t, $2) + seutil_init_script_domtrans_runinit($1) + role $2 types run_init_t; + + allow $2 system_r; + ') ########################################