[COMMIT]refpolicy-contrib branch, master, updated. ca7f15b944fb865a3d7056467c838c9350c19ab1
Reference Policy commits mail list
refpolicy-commits at oss.tresys.com
Wed Sep 21 08:54:03 CDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy-contrib".
The branch, master has been updated
via ca7f15b944fb865a3d7056467c838c9350c19ab1 (commit)
via 82067f6894917169d0aeb212e3c55b19197df7a4 (commit)
via b7fed43eacfc0dc0ecad28ca6d3d9f2bdf6b902c (commit)
via 23d14ad1b17ada460d5ebac3d9a814b811924c5f (commit)
via 301817f8976f816c2e596a6672b242f96df6c2b5 (commit)
via 0811b3b35625b52149037465957a14da5b80800d (commit)
via e166ec9ba4a8f9520e828d407c71492d99b4dafa (commit)
via a4c0f467a3fd9940d14ba0ba636f7ec3739373c9 (commit)
via 66681e60aba582e24be06cf8ae03cff5e0a86116 (commit)
via 9c585d2ae23c5590b329d5440539ea45ee807e16 (commit)
from fc3ccf09af8cf77666075c8bc93e1bf5d2ede9c1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ca7f15b944fb865a3d7056467c838c9350c19ab1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 09:07:51 2011 -0400
Module version bumps for role attribute changes.
commit 82067f6894917169d0aeb212e3c55b19197df7a4
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:46:39 2011 -0400
Add role attributes to portage.
commit b7fed43eacfc0dc0ecad28ca6d3d9f2bdf6b902c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:45:25 2011 -0400
Add role attributes to vpn.
commit 23d14ad1b17ada460d5ebac3d9a814b811924c5f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:45:15 2011 -0400
Add role attributes to usernetctl.
commit 301817f8976f816c2e596a6672b242f96df6c2b5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:45:05 2011 -0400
Add role attributes to rpm.
commit 0811b3b35625b52149037465957a14da5b80800d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:44:57 2011 -0400
Add role attributes to ppp.
commit e166ec9ba4a8f9520e828d407c71492d99b4dafa
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:44:35 2011 -0400
Add role attributes to ncftool.
commit a4c0f467a3fd9940d14ba0ba636f7ec3739373c9
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:44:26 2011 -0400
Add role attributes to mozilla.
commit 66681e60aba582e24be06cf8ae03cff5e0a86116
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:44:07 2011 -0400
Add role attributes to livecd.
commit 9c585d2ae23c5590b329d5440539ea45ee807e16
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 08:43:58 2011 -0400
Add role attributes to dpkg.
-----------------------------------------------------------------------
Summary of changes:
dpkg.if | 6 ++----
dpkg.te | 39 +++++++++++++++++++++------------------
livecd.if | 8 ++------
livecd.te | 14 +++++++++++---
mozilla.if | 5 -----
mozilla.te | 9 +++++++--
ncftool.if | 8 ++------
ncftool.te | 15 +++++++++------
portage.if | 4 ++--
portage.te | 25 +++++++++++++++----------
ppp.if | 9 ++-------
ppp.te | 8 ++++++--
rpm.if | 7 ++-----
rpm.te | 34 +++++++++++++++++++---------------
usernetctl.if | 23 ++---------------------
usernetctl.te | 23 ++++++++++++++++++++++-
vpn.if | 5 ++---
vpn.te | 8 ++++++--
18 files changed, 132 insertions(+), 118 deletions(-)
Detailed diffset:
:100644 100644 9317171... 4d32b42... M dpkg.if
:100644 100644 633d2fc... 7760168... M dpkg.te
:100644 100644 b2e27ec... ae29d9f... M livecd.if
:100644 100644 e3c0aa0... 8a8a87e... M livecd.te
:100644 100644 fbb5c5a... af2ba47... M mozilla.if
:100644 100644 1039ff2... b9ea50f... M mozilla.te
:100644 100644 75ee31d... a648982... M ncftool.if
:100644 100644 ec29391... 43cf05a... M ncftool.te
:100644 100644 22c6e17... ce69a52... M portage.if
:100644 100644 1588d0d... 196e0bc... M portage.te
:100644 100644 b524673... de4bdb7... M ppp.if
:100644 100644 65abdc7... 1f3c83e... M ppp.te
:100644 100644 d33daa8... 951d8f6... M rpm.if
:100644 100644 7d964bf... 0e91c40... M rpm.te
:100644 100644 ba9b9d6... d45c715... M usernetctl.if
:100644 100644 9586818... 8f3bc8c... M usernetctl.te
:100644 100644 64f8cdc... 7b93e07... M vpn.if
:100644 100644 ebf4b26... 68a784b... M vpn.te
diff --git a/dpkg.if b/dpkg.if
index 9317171..4d32b42 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -62,13 +62,11 @@ interface(`dpkg_domtrans_script',`
#
interface(`dpkg_run',`
gen_require(`
- type dpkg_t, dpkg_script_t;
+ attribute_role dpkg_roles;
')
dpkg_domtrans($1)
- role $2 types dpkg_t;
- role $2 types dpkg_script_t;
- seutil_run_loadpolicy(dpkg_script_t, $2)
+ roleattribute $2 dpkg_roles;
')
########################################
diff --git a/dpkg.te b/dpkg.te
index 633d2fc..7760168 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -1,10 +1,13 @@
-policy_module(dpkg, 1.8.0)
+policy_module(dpkg, 1.8.1)
########################################
#
# Declarations
#
+attribute_role dpkg_roles;
+roleattribute system_r dpkg_roles;
+
type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
@@ -14,7 +17,7 @@ domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
-role system_r types dpkg_t;
+role dpkg_roles types dpkg_t;
# lockfile
type dpkg_lock_t;
@@ -38,7 +41,7 @@ corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
-role system_r types dpkg_script_t;
+role dpkg_roles types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
@@ -151,7 +154,7 @@ init_use_script_ptys(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
-libs_domtrans_ldconfig(dpkg_t)
+libs_run_ldconfig(dpkg_t, dpkg_roles)
logging_send_syslog_msg(dpkg_t)
@@ -193,17 +196,17 @@ domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
-modutils_domtrans_depmod(dpkg_t)
-modutils_domtrans_insmod(dpkg_t)
-seutil_domtrans_loadpolicy(dpkg_t)
-seutil_domtrans_setfiles(dpkg_t)
+modutils_run_depmod(dpkg_t, dpkg_roles)
+modutils_run_insmod(dpkg_t, dpkg_roles)
+seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+seutil_run_setfiles(dpkg_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
mta_send_mail(dpkg_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(dpkg_t)
- usermanage_domtrans_useradd(dpkg_t)
+ usermanage_run_groupadd(dpkg_t, dpkg_roles)
+ usermanage_run_useradd(dpkg_t, dpkg_roles)
')
########################################
@@ -293,17 +296,17 @@ init_use_script_fds(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
-libs_domtrans_ldconfig(dpkg_script_t)
+libs_run_ldconfig(dpkg_script_t, dpkg_roles)
logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_domtrans_depmod(dpkg_script_t)
-modutils_domtrans_insmod(dpkg_script_t)
+modutils_run_depmod(dpkg_script_t, dpkg_roles)
+modutils_run_insmod(dpkg_script_t, dpkg_roles)
-seutil_domtrans_loadpolicy(dpkg_script_t)
-seutil_domtrans_setfiles(dpkg_script_t)
+seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+seutil_run_setfiles(dpkg_script_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_script_t)
@@ -317,7 +320,7 @@ optional_policy(`
')
optional_policy(`
- bootloader_domtrans(dpkg_script_t)
+ bootloader_run(dpkg_script_t, dpkg_roles)
')
optional_policy(`
@@ -333,6 +336,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_domtrans_groupadd(dpkg_script_t)
- usermanage_domtrans_useradd(dpkg_script_t)
+ usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+ usermanage_run_useradd(dpkg_script_t, dpkg_roles)
')
diff --git a/livecd.if b/livecd.if
index b2e27ec..ae29d9f 100644
--- a/livecd.if
+++ b/livecd.if
@@ -36,15 +36,11 @@ interface(`livecd_domtrans',`
#
interface(`livecd_run',`
gen_require(`
- type livecd_t;
+ attribute_role livecd_roles;
')
livecd_domtrans($1)
- role $2 types livecd_t;
-
- optional_policy(`
- mount_run(livecd_t, $2)
- ')
+ roleattribute $2 livecd_roles;
')
########################################
diff --git a/livecd.te b/livecd.te
index e3c0aa0..8a8a87e 100644
--- a/livecd.te
+++ b/livecd.te
@@ -1,14 +1,17 @@
-policy_module(livecd, 1.1.0)
+policy_module(livecd, 1.1.1)
########################################
#
# Declarations
#
+attribute_role livecd_roles;
+roleattribute system_r livecd_roles;
+
type livecd_t;
type livecd_exec_t;
application_domain(livecd_t, livecd_exec_t)
-role system_r types livecd_t;
+role livecd_roles types livecd_t;
type livecd_tmp_t;
files_tmp_file(livecd_tmp_t)
@@ -27,9 +30,14 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
optional_policy(`
- unconfined_domain(livecd_t)
+ mount_run(livecd_t, livecd_roles)
')
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
+optional_policy(`
+ unconfined_domain(livecd_t)
+')
+
diff --git a/mozilla.if b/mozilla.if
index fbb5c5a..af2ba47 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -46,12 +46,7 @@ interface(`mozilla_role',`
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
- mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
-
- optional_policy(`
- pulseaudio_role($1, mozilla_t)
- ')
')
########################################
diff --git a/mozilla.te b/mozilla.te
index 1039ff2..b9ea50f 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.4.0)
+policy_module(mozilla, 2.4.1)
########################################
#
@@ -12,12 +12,15 @@ policy_module(mozilla, 2.4.0)
## </desc>
gen_tunable(mozilla_read_content, false)
+attribute_role mozilla_roles;
+
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
application_domain(mozilla_t, mozilla_exec_t)
ubac_constrained(mozilla_t)
+role mozilla_roles types mozilla_t;
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
@@ -167,6 +170,8 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_user_ptys(mozilla_t)
+mozilla_run_plugin(mozilla_t, mozilla_roles)
+
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
@@ -282,7 +287,7 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_exec(mozilla_t)
+ pulseaudio_role(mozilla_roles, mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
diff --git a/ncftool.if b/ncftool.if
index 75ee31d..a648982 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -36,13 +36,9 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
- type ncftool_t;
+ attribute_role ncftool_roles;
')
ncftool_domtrans($1)
- role $2 types ncftool_t;
-
- optional_policy(`
- brctl_run(ncftool_t, $2)
- ')
+ roleattribute $2 ncftool_roles;
')
diff --git a/ncftool.te b/ncftool.te
index ec29391..43cf05a 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -1,16 +1,19 @@
-policy_module(ncftool, 1.0.0)
+policy_module(ncftool, 1.0.1)
########################################
#
# Declarations
#
+attribute_role ncftool_roles;
+roleattribute system_r ncftool_roles;
+
type ncftool_t;
type ncftool_exec_t;
application_domain(ncftool_t, ncftool_exec_t)
domain_obj_id_change_exemption(ncftool_t)
domain_system_change_exemption(ncftool_t)
-role system_r types ncftool_t;
+role ncftool_roles types ncftool_t;
########################################
#
@@ -45,8 +48,8 @@ files_read_usr_files(ncftool_t)
miscfiles_read_localization(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
-sysnet_domtrans_dhcpc(ncftool_t)
-sysnet_domtrans_ifconfig(ncftool_t)
+sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+sysnet_run_ifconfig(ncftool_t, ncftool_roles)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
@@ -70,9 +73,9 @@ optional_policy(`
optional_policy(`
modutils_read_module_config(ncftool_t)
- modutils_domtrans_insmod(ncftool_t)
+ modutils_run_insmod(ncftool_t, ncftool_roles)
')
optional_policy(`
- netutils_domtrans(ncftool_t)
+ netutils_run(ncftool_t, ncftool_roles)
')
diff --git a/portage.if b/portage.if
index 22c6e17..ce69a52 100644
--- a/portage.if
+++ b/portage.if
@@ -43,11 +43,11 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- type portage_t, portage_sandbox_t;
+ attribute_role portage_roles;
')
portage_domtrans($1)
- role $2 types { portage_t portage_sandbox_t };
+ roleattribute $2 portage_roles;
')
########################################
diff --git a/portage.te b/portage.te
index 1588d0d..196e0bc 100644
--- a/portage.te
+++ b/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.11.3)
+policy_module(portage, 1.11.4)
########################################
#
@@ -12,6 +12,8 @@ policy_module(portage, 1.11.3)
## </desc>
gen_tunable(portage_use_nfs, false)
+attribute_role portage_roles;
+
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)
@@ -23,6 +25,7 @@ application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
+role portage_roles types portage_t;
# portage compile sandbox domain
type portage_sandbox_t;
@@ -30,6 +33,7 @@ application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
+role portage_roles types portage_sandbox_t;
# portage package fetching domain
type portage_fetch_t;
@@ -37,6 +41,7 @@ type portage_fetch_exec_t;
application_domain(portage_fetch_t, portage_fetch_exec_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
+role portage_roles types portage_fetch_t;
type portage_devpts_t;
term_pty(portage_devpts_t)
@@ -110,7 +115,7 @@ files_list_all(gcc_config_t)
init_dontaudit_read_script_status_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
-libs_domtrans_ldconfig(gcc_config_t)
+libs_run_ldconfig(gcc_config_t, portage_roles)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
@@ -184,16 +189,16 @@ auth_manage_shadow(portage_t)
init_exec(portage_t)
# run setfiles -r
-seutil_domtrans_setfiles(portage_t)
+seutil_run_setfiles(portage_t, portage_roles)
# run semodule
-seutil_domtrans_semanage(portage_t)
+seutil_run_semanage(portage_t, portage_roles)
-portage_domtrans_gcc_config(portage_t)
+portage_run_gcc_config(portage_t, portage_roles)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
optional_policy(`
- bootloader_domtrans(portage_t)
+ bootloader_run(portage_t, portage_roles)
')
optional_policy(`
@@ -202,14 +207,14 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_depmod(portage_t)
- modutils_domtrans_update_mods(portage_t)
+ modutils_run_depmod(portage_t, portage_roles)
+ modutils_run_update_mods(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
- usermanage_domtrans_groupadd(portage_t)
- usermanage_domtrans_useradd(portage_t)
+ usermanage_run_groupadd(portage_t, portage_roles)
+ usermanage_run_useradd(portage_t, portage_roles)
')
ifdef(`TODO',`
diff --git a/ppp.if b/ppp.if
index b524673..de4bdb7 100644
--- a/ppp.if
+++ b/ppp.if
@@ -176,16 +176,11 @@ interface(`ppp_run_cond',`
#
interface(`ppp_run',`
gen_require(`
- type pppd_t, pptp_t;
+ attribute_role pppd_roles;
')
ppp_domtrans($1)
- role $2 types pppd_t;
- role $2 types pptp_t;
-
- optional_policy(`
- ddclient_run(pppd_t, $2)
- ')
+ roleattribute $2 pppd_roles;
')
########################################
diff --git a/ppp.te b/ppp.te
index 65abdc7..1f3c83e 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.12.2)
+policy_module(ppp, 1.12.3)
########################################
#
@@ -19,11 +19,14 @@ gen_tunable(pppd_can_insmod, false)
## </desc>
gen_tunable(pppd_for_user, false)
+attribute_role pppd_roles;
+
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
+role pppd_roles types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
@@ -58,6 +61,7 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
+role pppd_roles types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
@@ -183,7 +187,7 @@ userdom_search_user_home_dirs(pppd_t)
ppp_exec(pppd_t)
optional_policy(`
- ddclient_domtrans(pppd_t)
+ ddclient_run(pppd_t, pppd_roles)
')
optional_policy(`
diff --git a/rpm.if b/rpm.if
index d33daa8..951d8f6 100644
--- a/rpm.if
+++ b/rpm.if
@@ -78,14 +78,11 @@ interface(`rpm_domtrans_script',`
#
interface(`rpm_run',`
gen_require(`
- type rpm_t, rpm_script_t;
+ attribute_role rpm_roles;
')
rpm_domtrans($1)
- role $2 types { rpm_t rpm_script_t };
- seutil_run_loadpolicy(rpm_script_t, $2)
- seutil_run_semanage(rpm_script_t, $2)
- seutil_run_setfiles(rpm_script_t, $2)
+ roleattribute $2 rpm_roles;
')
########################################
diff --git a/rpm.te b/rpm.te
index 7d964bf..0e91c40 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,10 +1,12 @@
-policy_module(rpm, 1.13.0)
+policy_module(rpm, 1.13.1)
########################################
#
# Declarations
#
+attribute_role rpm_roles;
+
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
@@ -15,6 +17,7 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
+role rpm_roles types rpm_t;
type rpm_file_t;
files_type(rpm_file_t)
@@ -47,6 +50,7 @@ corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
+role rpm_roles types rpm_script_t;
role system_r types rpm_script_t;
type rpm_script_tmp_t;
@@ -181,7 +185,7 @@ init_use_script_ptys(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-libs_domtrans_ldconfig(rpm_t)
+libs_run_ldconfig(rpm_t, rpm_roles)
logging_send_syslog_msg(rpm_t)
@@ -210,7 +214,7 @@ optional_policy(`
')
optional_policy(`
- prelink_domtrans(rpm_t)
+ prelink_run(rpm_t, rpm_roles)
')
optional_policy(`
@@ -326,18 +330,18 @@ init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-libs_domtrans_ldconfig(rpm_script_t)
+libs_run_ldconfig(rpm_script_t, rpm_roles)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
-modutils_domtrans_depmod(rpm_script_t)
-modutils_domtrans_insmod(rpm_script_t)
+modutils_run_depmod(rpm_script_t, rpm_roles)
+modutils_run_insmod(rpm_script_t, rpm_roles)
-seutil_domtrans_loadpolicy(rpm_script_t)
-seutil_domtrans_setfiles(rpm_script_t)
-seutil_domtrans_semanage(rpm_script_t)
+seutil_run_loadpolicy(rpm_script_t, rpm_roles)
+seutil_run_setfiles(rpm_script_t, rpm_roles)
+seutil_run_semanage(rpm_script_t, rpm_roles)
userdom_use_all_users_fds(rpm_script_t)
@@ -352,7 +356,7 @@ tunable_policy(`allow_execmem',`
')
optional_policy(`
- bootloader_domtrans(rpm_script_t)
+ bootloader_run(rpm_script_t, rpm_roles)
')
optional_policy(`
@@ -360,7 +364,7 @@ optional_policy(`
')
optional_policy(`
- lvm_domtrans(rpm_script_t)
+ lvm_run(rpm_script_t, rpm_roles)
')
optional_policy(`
@@ -368,8 +372,8 @@ optional_policy(`
')
optional_policy(`
- tzdata_domtrans(rpm_t)
- tzdata_domtrans(rpm_script_t)
+ tzdata_run(rpm_t, rpm_roles)
+ tzdata_run(rpm_script_t, rpm_roles)
')
optional_policy(`
@@ -390,6 +394,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_domtrans_groupadd(rpm_script_t)
- usermanage_domtrans_useradd(rpm_script_t)
+ usermanage_run_groupadd(rpm_script_t, rpm_roles)
+ usermanage_run_useradd(rpm_script_t, rpm_roles)
')
diff --git a/usernetctl.if b/usernetctl.if
index ba9b9d6..d45c715 100644
--- a/usernetctl.if
+++ b/usernetctl.if
@@ -37,28 +37,9 @@ interface(`usernetctl_domtrans',`
#
interface(`usernetctl_run',`
gen_require(`
- type usernetctl_t;
+ attribute_role usernetctl_roles;
')
usernetctl_domtrans($1)
- role $2 types usernetctl_t;
-
- sysnet_run_ifconfig(usernetctl_t, $2)
- sysnet_run_dhcpc(usernetctl_t, $2)
-
- optional_policy(`
- consoletype_run(usernetctl_t, $2)
- ')
-
- optional_policy(`
- iptables_run(usernetctl_t, $2)
- ')
-
- optional_policy(`
- modutils_run_insmod(usernetctl_t, $2)
- ')
-
- optional_policy(`
- ppp_run(usernetctl_t, $2)
- ')
+ roleattribute $2 usernetctl_roles;
')
diff --git a/usernetctl.te b/usernetctl.te
index 9586818..8f3bc8c 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -1,14 +1,17 @@
-policy_module(usernetctl, 1.5.0)
+policy_module(usernetctl, 1.5.1)
########################################
#
# Declarations
#
+attribute_role usernetctl_roles;
+
type usernetctl_t;
type usernetctl_exec_t;
application_domain(usernetctl_t, usernetctl_exec_t)
domain_interactive_fd(usernetctl_t)
+role usernetctl_roles types usernetctl_t;
########################################
#
@@ -57,13 +60,31 @@ miscfiles_read_localization(usernetctl_t)
seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
+sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
userdom_use_user_terminals(usernetctl_t)
optional_policy(`
+ consoletype_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
hostname_exec(usernetctl_t)
')
optional_policy(`
+ iptables_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+ modutils_run_insmod(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
nis_use_ypbind(usernetctl_t)
')
+
+optional_policy(`
+ ppp_run(usernetctl_t, usernetctl_roles)
+')
diff --git a/vpn.if b/vpn.if
index 64f8cdc..7b93e07 100644
--- a/vpn.if
+++ b/vpn.if
@@ -37,12 +37,11 @@ interface(`vpn_domtrans',`
#
interface(`vpn_run',`
gen_require(`
- type vpnc_t;
+ attribute_role vpnc_roles;
')
vpn_domtrans($1)
- role $2 types vpnc_t;
- sysnet_run_ifconfig(vpnc_t, $2)
+ roleattribute $2 vpnc_roles;
')
########################################
diff --git a/vpn.te b/vpn.te
index ebf4b26..68a784b 100644
--- a/vpn.te
+++ b/vpn.te
@@ -1,14 +1,17 @@
-policy_module(vpn, 1.14.0)
+policy_module(vpn, 1.14.1)
########################################
#
# Declarations
#
+attribute_role vpnc_roles;
+roleattribute system_r vpnc_roles;
+
type vpnc_t;
type vpnc_exec_t;
application_domain(vpnc_t, vpnc_exec_t)
-role system_r types vpnc_t;
+role vpnc_roles types vpnc_t;
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
@@ -102,6 +105,7 @@ miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
+sysnet_run_ifconfig(vpnc_t, vpnc_roles)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
hooks/post-receive
--
refpolicy-contrib
More information about the Refpolicy-commits
mailing list