commit f53f820fe366940d4fdecaef80de4e5b1178fac6 Author: Miroslav Grepl Date: Thu Jun 7 01:38:59 2012 +0200 roleattribute patch diff --git a/livecd.if b/livecd.if index bfbf676..fb7869e 100644 --- a/livecd.if +++ b/livecd.if @@ -38,12 +38,19 @@ interface(`livecd_run',` gen_require(` type livecd_t; type livecd_exec_t; - attribute_role livecd_roles; + #attribute_role livecd_roles; ') livecd_domtrans($1) - roleattribute $2 livecd_roles; + #roleattribute $2 livecd_roles; + role $2 types livecd_t; role_transition $2 livecd_exec_t system_r; + + seutil_run_setfiles_mac(livecd_t, system_r) + + optional_policy(` + mount_run(livecd_t, $2) + ') ') ######################################## diff --git a/livecd.te b/livecd.te index 65efdae..7a944b5 100644 --- a/livecd.te +++ b/livecd.te @@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) # Declarations # -attribute_role livecd_roles; -roleattribute system_r livecd_roles; +#attribute_role livecd_roles; +#roleattribute system_r livecd_roles; type livecd_t; type livecd_exec_t; application_domain(livecd_t, livecd_exec_t) -role livecd_roles types livecd_t; +role system_r types livecd_t; +#role livecd_roles types livecd_t; type livecd_tmp_t; files_tmp_file(livecd_tmp_t) @@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t) sysnet_filetrans_named_content(livecd_t) -optional_policy(` - mount_run(livecd_t, livecd_roles) - seutil_run_setfiles_mac(livecd_t, livecd_roles) -') +#optional_policy(` +# mount_run(livecd_t, livecd_roles) +# seutil_run_setfiles_mac(livecd_t, livecd_roles) +#') optional_policy(` ssh_filetrans_admin_home_content(livecd_t) diff --git a/mozilla.if b/mozilla.if index 30b0241..30bfefb 100644 --- a/mozilla.if +++ b/mozilla.if @@ -18,10 +18,11 @@ interface(`mozilla_role',` gen_require(` type mozilla_t, mozilla_exec_t, mozilla_home_t; - attribute_role mozilla_roles; + #attribute_role mozilla_roles; ') - roleattribute $1 mozilla_roles; + #roleattribute $1 mozilla_roles; + role $1 types mozilla_t; domain_auto_trans($2, mozilla_exec_t, mozilla_t) # Unrestricted inheritance from the caller. @@ -47,6 +48,8 @@ interface(`mozilla_role',` relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + #should be remove then with adding of roleattribute + mozilla_run_plugin(mozilla_t, $1) mozilla_dbus_chat($2) userdom_manage_tmp_role($1, mozilla_t) @@ -63,7 +66,6 @@ interface(`mozilla_role',` mozilla_filetrans_home_content($2) - mozilla_dbus_chat($2) ') ######################################## diff --git a/mozilla.te b/mozilla.te index 7bf56bf..56700a4 100644 --- a/mozilla.te +++ b/mozilla.te @@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false) ## gen_tunable(mozilla_plugin_enable_homedirs, false) -attribute_role mozilla_roles; +#attribute_role mozilla_roles; type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) -role mozilla_roles types mozilla_t; +#role mozilla_roles types mozilla_t; +role system_r types mozilla_t; type mozilla_conf_t; files_config_file(mozilla_conf_t) @@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -role mozilla_roles types mozilla_plugin_t; +#role mozilla_roles types mozilla_plugin_t; +role system_r types mozilla_plugin_t; type mozilla_plugin_tmp_t; userdom_user_tmp_content(mozilla_plugin_tmp_t) @@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t) type mozilla_plugin_config_t; type mozilla_plugin_config_exec_t; application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -role mozilla_roles types mozilla_plugin_config_t; +#role mozilla_roles types mozilla_plugin_config_t; +role system_r types mozilla_plugin_config_t; type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) @@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t) userdom_use_inherited_user_ptys(mozilla_t) -mozilla_run_plugin(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) @@ -298,7 +301,8 @@ optional_policy(` ') optional_policy(` - pulseaudio_role(mozilla_roles, mozilla_t) + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') @@ -476,9 +480,9 @@ optional_policy(` java_exec(mozilla_plugin_t) ') -optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -') +#optional_policy(` +# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) +#') optional_policy(` mplayer_exec(mozilla_plugin_t) diff --git a/ncftool.if b/ncftool.if index 1520b6c..3a4455f 100644 --- a/ncftool.if +++ b/ncftool.if @@ -36,10 +36,18 @@ interface(`ncftool_domtrans',` # interface(`ncftool_run',` gen_require(` - attribute_role ncftool_roles; + type ncftool_t; + #attribute_role ncftool_roles; ') - ncftool_domtrans($1) - roleattribute $2 ncftool_roles; + #ncftool_domtrans($1) + #roleattribute $2 ncftool_roles; + + role $1 types ncftool_t; + + ncftool_domtrans($2) + + ps_process_pattern($2, ncftool_t) + allow $2 ncftool_t:process signal; ') diff --git a/ncftool.te b/ncftool.te index 91ab36d..8c48c33 100644 --- a/ncftool.te +++ b/ncftool.te @@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0) # Declarations # -attribute_role ncftool_roles; -roleattribute system_r ncftool_roles; +#attribute_role ncftool_roles; +#roleattribute system_r ncftool_roles; type ncftool_t; type ncftool_exec_t; application_domain(ncftool_t, ncftool_exec_t) domain_obj_id_change_exemption(ncftool_t) domain_system_change_exemption(ncftool_t) -role ncftool_roles types ncftool_t; +#role ncftool_roles types ncftool_t; +role system_r types ncftool_t; ######################################## # @@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t) miscfiles_read_localization(ncftool_t) sysnet_delete_dhcpc_pid(ncftool_t) -sysnet_run_dhcpc(ncftool_t, ncftool_roles) -sysnet_run_ifconfig(ncftool_t, ncftool_roles) +sysnet_domtrans_dhcpc(ncftool_t) +sysnet_domtrans_ifconfig(ncftool_t) +#sysnet_run_dhcpc(ncftool_t, ncftool_roles) +#sysnet_run_ifconfig(ncftool_t, ncftool_roles) sysnet_etc_filetrans_config(ncftool_t) sysnet_manage_config(ncftool_t) sysnet_read_dhcpc_state(ncftool_t) @@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t) userdom_use_user_terminals(ncftool_t) userdom_read_user_tmp_files(ncftool_t) -optional_policy(` - brctl_run(ncftool_t, ncftool_roles) -') +#optional_policy(` +# brctl_run(ncftool_t, ncftool_roles) +#') optional_policy(` consoletype_exec(ncftool_t) @@ -85,9 +88,12 @@ optional_policy(` optional_policy(` modutils_read_module_config(ncftool_t) - modutils_run_insmod(ncftool_t, ncftool_roles) + modutils_domtrans_insmod(ncftool_t) + #modutils_run_insmod(ncftool_t, ncftool_roles) + ') optional_policy(` - netutils_run(ncftool_t, ncftool_roles) + netutils_domtrans(ncftool_t) + #netutils_run(ncftool_t, ncftool_roles) ') diff --git a/ppp.if b/ppp.if index c174b05..a4cad0b 100644 --- a/ppp.if +++ b/ppp.if @@ -175,11 +175,18 @@ interface(`ppp_run_cond',` # interface(`ppp_run',` gen_require(` - attribute_role pppd_roles; + #attribute_role pppd_roles; + type pppd_t; ') - ppp_domtrans($1) - roleattribute $2 pppd_roles; + #ppp_domtrans($1) + #roleattribute $2 pppd_roles; + + role $2 types pppd_t; + + tunable_policy(`pppd_for_user',` + ppp_domtrans($1) + ') ') ######################################## diff --git a/ppp.te b/ppp.te index 17e10a2..92cec2b 100644 --- a/ppp.te +++ b/ppp.te @@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) ## gen_tunable(pppd_for_user, false) -attribute_role pppd_roles; +#attribute_role pppd_roles; # pppd_t is the domain for the pppd program. # pppd_exec_t is the type of the pppd executable. type pppd_t; type pppd_exec_t; init_daemon_domain(pppd_t, pppd_exec_t) -role pppd_roles types pppd_t; +#role pppd_roles types pppd_t; +role system_r types pppd_t; type pppd_devpts_t; term_pty(pppd_devpts_t) @@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t) type pptp_t; type pptp_exec_t; init_daemon_domain(pptp_t, pptp_exec_t) -role pppd_roles types pptp_t; +#role pppd_roles types pptp_t; +role system_r types pptp_t; type pptp_log_t; logging_log_file(pptp_log_t) @@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) -auth_run_chk_passwd(pppd_t,pppd_roles) +auth_domtrans_chk_passwd(pppd_t) +#auth_run_chk_passwd(pppd_t,pppd_roles) auth_write_login_records(pppd_t) logging_send_syslog_msg(pppd_t) @@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t) ppp_exec(pppd_t) optional_policy(` - ddclient_run(pppd_t, pppd_roles) + #ddclient_run(pppd_t, pppd_roles) + ddclient_domtrans(pppd_t) ') optional_policy(` diff --git a/usernetctl.if b/usernetctl.if index d45c715..2d4f1ba 100644 --- a/usernetctl.if +++ b/usernetctl.if @@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',` # interface(`usernetctl_run',` gen_require(` - attribute_role usernetctl_roles; + type usernetctl_t; + #attribute_role usernetctl_roles; ') - usernetctl_domtrans($1) - roleattribute $2 usernetctl_roles; + #usernetctl_domtrans($1) + #roleattribute $2 usernetctl_roles; + + sysnet_run_ifconfig(usernetctl_t, $2) + sysnet_run_dhcpc(usernetctl_t, $2) + + optional_policy(` + iptables_run(usernetctl_t, $2) + ') + + optional_policy(` + modutils_run_insmod(usernetctl_t, $2) + ') + + optional_policy(` + ppp_run(usernetctl_t, $2) + ') + ') diff --git a/usernetctl.te b/usernetctl.te index 8604c1c..35b12a6 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) # Declarations # -attribute_role usernetctl_roles; +#attribute_role usernetctl_roles; type usernetctl_t; type usernetctl_exec_t; application_domain(usernetctl_t, usernetctl_exec_t) domain_interactive_fd(usernetctl_t) -role usernetctl_roles types usernetctl_t; +#role usernetctl_roles types usernetctl_t; +role system_r types usernetctl_t; ######################################## # @@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t) userdom_use_inherited_user_terminals(usernetctl_t) -sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) +#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) optional_policy(` - consoletype_run(usernetctl_t, usernetctl_roles) + #consoletype_run(usernetctl_t, usernetctl_roles) + consoletype_exec(usernetctl_t) ') optional_policy(` hostname_exec(usernetctl_t) ') -optional_policy(` - iptables_run(usernetctl_t, usernetctl_roles) -') +#optional_policy(` +# iptables_run(usernetctl_t, usernetctl_roles) +#') -optional_policy(` - modutils_run_insmod(usernetctl_t, usernetctl_roles) -') +#optional_policy(` +# modutils_run_insmod(usernetctl_t, usernetctl_roles) +#') optional_policy(` nis_use_ypbind(usernetctl_t) ') -optional_policy(` - ppp_run(usernetctl_t, usernetctl_roles) -') +#optional_policy(` +# ppp_run(usernetctl_t, usernetctl_roles) +#') diff --git a/vpn.if b/vpn.if index 7b93e07..a4e2f60 100644 --- a/vpn.if +++ b/vpn.if @@ -37,11 +37,16 @@ interface(`vpn_domtrans',` # interface(`vpn_run',` gen_require(` - attribute_role vpnc_roles; + #attribute_role vpnc_roles; + type vpnc_t; ') + #vpn_domtrans($1) + #roleattribute $2 vpnc_roles; + vpn_domtrans($1) - roleattribute $2 vpnc_roles; + role $2 types vpnc_t; + sysnet_run_ifconfig(vpnc_t, $2) ') ######################################## diff --git a/vpn.te b/vpn.te index 99fd457..d2585bb 100644 --- a/vpn.te +++ b/vpn.te @@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0) # Declarations # -attribute_role vpnc_roles; -roleattribute system_r vpnc_roles; +#attribute_role vpnc_roles; +#roleattribute system_r vpnc_roles; type vpnc_t; type vpnc_exec_t; init_system_domain(vpnc_t, vpnc_exec_t) application_domain(vpnc_t, vpnc_exec_t) -role vpnc_roles types vpnc_t; +#role vpnc_roles types vpnc_t; +role system_r types vpnc_t; type vpnc_tmp_t; files_tmp_file(vpnc_tmp_t) @@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) seutil_use_newrole_fds(vpnc_t) -sysnet_run_ifconfig(vpnc_t, vpnc_roles) +#sysnet_run_ifconfig(vpnc_t, vpnc_roles) sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) commit 88b64bdd71ef734271b9370fc37e02785f354f7f Author: Miroslav Grepl Date: Thu Jun 7 02:33:40 2012 +0200 Fix ncftool.if diff --git a/ncftool.if b/ncftool.if index 3a4455f..59f096b 100644 --- a/ncftool.if +++ b/ncftool.if @@ -43,11 +43,12 @@ interface(`ncftool_run',` #ncftool_domtrans($1) #roleattribute $2 ncftool_roles; - role $1 types ncftool_t; + ncftool_domtrans($1) + role $2 types ncftool_t; - ncftool_domtrans($2) + optional_policy(` + brctl_run(ncftool_t, $2) + ') - ps_process_pattern($2, ncftool_t) - allow $2 ncftool_t:process signal; ') commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9 Author: Miroslav Grepl Date: Thu Jun 7 10:47:57 2012 +0200 roleattriburte temp fixes for portage and dpkg diff --git a/dpkg.if b/dpkg.if index 4d32b42..d945bd0 100644 --- a/dpkg.if +++ b/dpkg.if @@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',` # interface(`dpkg_run',` gen_require(` - attribute_role dpkg_roles; + #attribute_role dpkg_roles; + type dpkg_t, dpkg_script_t ') + #dpkg_domtrans($1) + #roleattribute $2 dpkg_roles; + dpkg_domtrans($1) - roleattribute $2 dpkg_roles; + role $2 types dpkg_t; + role $2 types dpkg_script_t; + seutil_run_loadpolicy(dpkg_script_t, $2) + ') ######################################## diff --git a/dpkg.te b/dpkg.te index a1b8f92..9ac1b80 100644 --- a/dpkg.te +++ b/dpkg.te @@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) # Declarations # -attribute_role dpkg_roles; -roleattribute system_r dpkg_roles; +#attribute_role dpkg_roles; +#roleattribute system_r dpkg_roles; type dpkg_t; type dpkg_exec_t; @@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t) domain_role_change_exemption(dpkg_t) domain_system_change_exemption(dpkg_t) domain_interactive_fd(dpkg_t) -role dpkg_roles types dpkg_t; +#role dpkg_roles types dpkg_t; +role system_r types dpkg_t; # lockfile type dpkg_lock_t; @@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t) domain_obj_id_change_exemption(dpkg_script_t) domain_system_change_exemption(dpkg_script_t) domain_interactive_fd(dpkg_script_t) -role dpkg_roles types dpkg_script_t; +#role dpkg_roles types dpkg_script_t; +role system_r types dpkg_script_t; type dpkg_script_tmp_t; files_tmp_file(dpkg_script_tmp_t) @@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) init_use_script_ptys(dpkg_t) +#libs_exec_ld_so(dpkg_t) +#libs_exec_lib_files(dpkg_t) +#libs_run_ldconfig(dpkg_t, dpkg_roles) libs_exec_ld_so(dpkg_t) libs_exec_lib_files(dpkg_t) -libs_run_ldconfig(dpkg_t, dpkg_roles) +libs_domtrans_ldconfig(dpkg_t) logging_send_syslog_msg(dpkg_t) @@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t) files_read_etc_runtime_files(dpkg_t) files_exec_usr_files(dpkg_t) miscfiles_read_localization(dpkg_t) -modutils_run_depmod(dpkg_t, dpkg_roles) -modutils_run_insmod(dpkg_t, dpkg_roles) -seutil_run_loadpolicy(dpkg_t, dpkg_roles) -seutil_run_setfiles(dpkg_t, dpkg_roles) +#modutils_run_depmod(dpkg_t, dpkg_roles) +#modutils_run_insmod(dpkg_t, dpkg_roles) +#seutil_run_loadpolicy(dpkg_t, dpkg_roles) +#seutil_run_setfiles(dpkg_t, dpkg_roles) userdom_use_all_users_fds(dpkg_t) optional_policy(` mta_send_mail(dpkg_t) ') + + optional_policy(` - usermanage_run_groupadd(dpkg_t, dpkg_roles) - usermanage_run_useradd(dpkg_t, dpkg_roles) + modutils_domtrans_depmod(dpkg_t) + modutils_domtrans_insmod(dpkg_t) + seutil_domtrans_loadpolicy(dpkg_t) + seutil_domtrans_setfiles(dpkg_t) + usermanage_domtrans_groupadd(dpkg_t) + usermanage_domtrans_useradd(dpkg_t) ') +#optional_policy(` +# usermanage_run_groupadd(dpkg_t, dpkg_roles) +# usermanage_run_useradd(dpkg_t, dpkg_roles) +#') + ######################################## # # dpkg-script Local policy @@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t) miscfiles_read_localization(dpkg_script_t) -modutils_run_depmod(dpkg_script_t, dpkg_roles) -modutils_run_insmod(dpkg_script_t, dpkg_roles) +#modutils_run_depmod(dpkg_script_t, dpkg_roles) +#modutils_run_insmod(dpkg_script_t, dpkg_roles) -seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) -seutil_run_setfiles(dpkg_script_t, dpkg_roles) +#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) +#seutil_run_setfiles(dpkg_script_t, dpkg_roles) userdom_use_all_users_fds(dpkg_script_t) @@ -319,9 +335,9 @@ optional_policy(` apt_use_fds(dpkg_script_t) ') -optional_policy(` - bootloader_run(dpkg_script_t, dpkg_roles) -') +#optional_policy(` +# bootloader_run(dpkg_script_t, dpkg_roles) +#') optional_policy(` mta_send_mail(dpkg_script_t) @@ -335,7 +351,7 @@ optional_policy(` unconfined_domain(dpkg_script_t) ') -optional_policy(` - usermanage_run_groupadd(dpkg_script_t, dpkg_roles) - usermanage_run_useradd(dpkg_script_t, dpkg_roles) -') +#optional_policy(` +# usermanage_run_groupadd(dpkg_script_t, dpkg_roles) +# usermanage_run_useradd(dpkg_script_t, dpkg_roles) +#') diff --git a/portage.if b/portage.if index b4bb48a..e5e8f12 100644 --- a/portage.if +++ b/portage.if @@ -43,11 +43,15 @@ interface(`portage_domtrans',` # interface(`portage_run',` gen_require(` - attribute_role portage_roles; + type portage_t, portage_fetch_t, portage_sandbox_t; + #attribute_role portage_roles; ') - portage_domtrans($1) - roleattribute $2 portage_roles; + #portage_domtrans($1) + #roleattribute $2 portage_roles; + portage_domtrans($1) + role $2 types { portage_t portage_fetch_t portage_sandbox_t } + ') ######################################## diff --git a/portage.te b/portage.te index 22bdf7d..f726e1d 100644 --- a/portage.te +++ b/portage.te @@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) ## gen_tunable(portage_use_nfs, false) -attribute_role portage_roles; +#attribute_role portage_roles; type gcc_config_t; type gcc_config_exec_t; @@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t) domain_obj_id_change_exemption(portage_t) rsync_entry_type(portage_t) corecmd_shell_entry_type(portage_t) -role portage_roles types portage_t; +#role portage_roles types portage_t; +role system_r types portage_t; # portage compile sandbox domain type portage_sandbox_t; @@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t) # the shell is the entrypoint if regular sandbox is disabled # portage_exec_t is the entrypoint if regular sandbox is enabled corecmd_shell_entry_type(portage_sandbox_t) -role portage_roles types portage_sandbox_t; +#role portage_roles types portage_sandbox_t; +role system_r types portage_sandbox_t; # portage package fetching domain type portage_fetch_t; @@ -41,7 +43,8 @@ type portage_fetch_exec_t; application_domain(portage_fetch_t, portage_fetch_exec_t) corecmd_shell_entry_type(portage_fetch_t) rsync_entry_type(portage_fetch_t) -role portage_roles types portage_fetch_t; +#role portage_roles types portage_fetch_t; +role system_r types portage_fetch_t; type portage_devpts_t; term_pty(portage_devpts_t) @@ -115,7 +118,8 @@ files_list_all(gcc_config_t) init_dontaudit_read_script_status_files(gcc_config_t) libs_read_lib_files(gcc_config_t) -libs_run_ldconfig(gcc_config_t, portage_roles) +#libs_run_ldconfig(gcc_config_t, portage_roles) +libs_domtrans_ldconfig(gcc_config_t) libs_manage_shared_libs(gcc_config_t) # gcc-config creates a temp dir for the libs libs_manage_lib_dirs(gcc_config_t) @@ -196,33 +200,41 @@ auth_manage_shadow(portage_t) init_exec(portage_t) # run setfiles -r -seutil_run_setfiles(portage_t, portage_roles) +#seutil_run_setfiles(portage_t, portage_roles) # run semodule -seutil_run_semanage(portage_t, portage_roles) +#seutil_run_semanage(portage_t, portage_roles) -portage_run_gcc_config(portage_t, portage_roles) +#portage_run_gcc_config(portage_t, portage_roles) # if sesandbox is disabled, compiling is performed in this domain portage_compile_domain(portage_t) -optional_policy(` - bootloader_run(portage_t, portage_roles) -') +#optional_policy(` +# bootloader_run(portage_t, portage_roles) +#') optional_policy(` cron_system_entry(portage_t, portage_exec_t) cron_system_entry(portage_fetch_t, portage_fetch_exec_t) ') -optional_policy(` - modutils_run_depmod(portage_t, portage_roles) - modutils_run_update_mods(portage_t, portage_roles) +#optional_policy(` +# modutils_run_depmod(portage_t, portage_roles) +# modutils_run_update_mods(portage_t, portage_roles) #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; ') -optional_policy(` - usermanage_run_groupadd(portage_t, portage_roles) - usermanage_run_useradd(portage_t, portage_roles) -') +#optional_policy(` +# usermanage_run_groupadd(portage_t, portage_roles) +# usermanage_run_useradd(portage_t, portage_roles) +#') + +seutil_domtrans_setfiles(portage_t) +seutil_domtrans_semanage(portage_t) +bootloader_domtrans(portage_t) +modutils_domtrans_depmod(portage_t) +modutils_domtrans_update_mods(portage_t) +usermanage_domtrans_groupadd(portage_t) +usermanage_domtrans_useradd(portage_t) ifdef(`TODO',` # seems to work ok without these commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef Author: Miroslav Grepl Date: Thu Jun 7 10:52:09 2012 +0200 Fix typo diff --git a/portage.if b/portage.if index e5e8f12..7098ded 100644 --- a/portage.if +++ b/portage.if @@ -50,7 +50,7 @@ interface(`portage_run',` #portage_domtrans($1) #roleattribute $2 portage_roles; portage_domtrans($1) - role $2 types { portage_t portage_fetch_t portage_sandbox_t } + role $2 types { portage_t portage_fetch_t portage_sandbox_t }; ') commit cf999ca29d2a4401c481e28c169e10d676d73526 Author: Miroslav Grepl Date: Thu Jun 7 10:59:22 2012 +0200 One more typo diff --git a/dpkg.if b/dpkg.if index d945bd0..78736d8 100644 --- a/dpkg.if +++ b/dpkg.if @@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',` interface(`dpkg_run',` gen_require(` #attribute_role dpkg_roles; - type dpkg_t, dpkg_script_t + type dpkg_t, dpkg_script_t; ') #dpkg_domtrans($1)