[COMMIT]refpolicy branch, master, updated. contrib-26-g7d6b1e5
Reference Policy commits mail list
refpolicy-commits at oss.tresys.com
Wed Sep 21 08:54:06 CDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy".
The branch, master has been updated
via 7d6b1e5889ce275c31d29f5c88e976d805552e5c (commit)
via af1f9606c370d1d4077db7e1884143f3096ae8bd (commit)
via 26761b31cdecb990824c26c92ee54482822f99d1 (commit)
via f9145eae448456a385843af19bea8936b1b0981e (commit)
via 08cf443ff6fcf300e3169a9c4625d9b5cb25ac49 (commit)
via e6453fa567f5c288236a94f46d23f54bab79c932 (commit)
via d3cca4f92733e537838aa4221bb854813d44c294 (commit)
via a858f08e5b0a5f8ac30c7922547c8e717353f240 (commit)
via e3a043d18d5339155263840b51ffc74fd2d8b706 (commit)
via 2dd113f11c38ce0bffd67d676492c8fc4b1a1802 (commit)
via c0cdc81ee58a0bcce2d9228ebf26edc28d5c03a7 (commit)
from dfec2ce3a9b7a1e145011cf690208310a24acef5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7d6b1e5889ce275c31d29f5c88e976d805552e5c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 09:16:34 2011 -0400
Module version bump and changelog for role attributes usage.
commit af1f9606c370d1d4077db7e1884143f3096ae8bd
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 10:39:01 2011 -0400
Add role attributes to usermanage.
commit 26761b31cdecb990824c26c92ee54482822f99d1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 10:37:56 2011 -0400
Add role attributes to bootloader.
commit f9145eae448456a385843af19bea8936b1b0981e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 08:12:59 2011 -0400
Add role attributes to dhcpc.
commit 08cf443ff6fcf300e3169a9c4625d9b5cb25ac49
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 08:12:20 2011 -0400
Add role attributes in newrole and run_init.
commit e6453fa567f5c288236a94f46d23f54bab79c932
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 08:11:48 2011 -0400
Add role attributes to mount.
commit d3cca4f92733e537838aa4221bb854813d44c294
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 08:11:29 2011 -0400
Add role attributes to update_modules in modutils.
commit a858f08e5b0a5f8ac30c7922547c8e717353f240
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 12 08:10:59 2011 -0400
Add role attributes in iptables.
commit e3a043d18d5339155263840b51ffc74fd2d8b706
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Aug 1 09:02:21 2011 -0400
Convert selinuxutil over to role attributes for semanage.
commit 2dd113f11c38ce0bffd67d676492c8fc4b1a1802
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Aug 1 09:01:45 2011 -0400
Move attribute_role decls to top of policy.conf/base.conf.
commit c0cdc81ee58a0bcce2d9228ebf26edc28d5c03a7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Aug 1 08:54:59 2011 -0400
Update INSTALL for new toolchain requirements.
-----------------------------------------------------------------------
Summary of changes:
Changelog | 2 +
INSTALL | 20 ++++++-----------
policy/modules/admin/bootloader.if | 10 +------
policy/modules/admin/bootloader.te | 9 +++++--
policy/modules/admin/usermanage.if | 35 ++++++++---------------------
policy/modules/admin/usermanage.te | 40 ++++++++++++++++++++++------------
policy/modules/contrib | 2 +-
policy/modules/system/iptables.if | 10 +------
policy/modules/system/iptables.te | 11 ++++++---
policy/modules/system/modutils.if | 6 +---
policy/modules/system/modutils.te | 9 ++++++-
policy/modules/system/mount.if | 8 +-----
policy/modules/system/mount.te | 9 +++++--
policy/modules/system/selinuxutil.if | 28 ++++++-----------------
policy/modules/system/selinuxutil.te | 27 +++++++++++++++-------
policy/modules/system/sysnetwork.if | 21 +----------------
policy/modules/system/sysnetwork.te | 22 ++++++++++--------
support/comment_move_decl.sed | 2 +-
support/get_type_attr_decl.sed | 2 +-
19 files changed, 122 insertions(+), 151 deletions(-)
Detailed diffset:
:100644 100644 3400ba7... 6f1a3c7... M Changelog
:100644 100644 12885d2... d2ab5cb... M INSTALL
:100644 100644 63eb96b... a778bb1... M policy/modules/admin/bootloader.if
:100644 100644 1e771ba... 5c5bea4... M policy/modules/admin/bootloader.te
:100644 100644 81fb26f... 98b8b2d... M policy/modules/admin/usermanage.if
:100644 100644 d4d8533... 530c988... M policy/modules/admin/usermanage.te
:160000 160000 fc3ccf0... ca7f15b... M policy/modules/contrib
:100644 100644 7ba53db... c42fbc3... M policy/modules/system/iptables.if
:100644 100644 4f87146... b8361a0... M policy/modules/system/iptables.te
:100644 100644 b492674... 350c450... M policy/modules/system/modutils.if
:100644 100644 2e1c522... a8d6741... M policy/modules/system/modutils.te
:100644 100644 8b5c196... 4584457... M policy/modules/system/mount.if
:100644 100644 ae76fc9... 1284081... M policy/modules/system/mount.te
:100644 100644 170e2c7... 5885571... M policy/modules/system/selinuxutil.if
:100644 100644 d7855d3... df6d458... M policy/modules/system/selinuxutil.te
:100644 100644 1a76298... 363e98d... M policy/modules/system/sysnetwork.if
:100644 100644 2b94543... c4154fd... M policy/modules/system/sysnetwork.te
:100644 100644 20ffa6c... 601c4f7... M support/comment_move_decl.sed
:100644 100644 a113f21... 69c6ccd... M support/get_type_attr_decl.sed
diff --git a/Changelog b/Changelog
index 3400ba7..6f1a3c7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Use role attributes to assist with domain transitions in interactive
+ programs.
- Milter ports patch from Paul Howarth.
- Separate portage fetch rules out of portage_run() and portage_domtrans()
from Sven Vermeulen.
diff --git a/INSTALL b/INSTALL
index 12885d2..d2ab5cb 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,16 +1,10 @@
-Reference Policy has a requirement of checkpolicy 1.33.1 and
-libsepol-1.16.2. Red Hat Enterprise Linux 4 and Fedora Core 4 RPMs
-are available on the CLIP download page at http://oss.tresys.com,
-and can be installed thusly:
-
-Red Hat Enterprise Linux 4:
-
- rpm -i libsepol-1.11.7-1.i386.rpm
- rpm -U checkpolicy-1.28-4.i386.rpm
-
-Fedora Core 4:
-
- rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
+Reference Policy has the following build requirements:
+ * libsepol 2.1.0
+ * libsemanage 2.1.0
+ * checkpolicy 2.1.0
+ * policycoreutils 2.1.0
+ * Python PyXML
+ * GCC
To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 63eb96b..a778bb1 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -38,17 +38,11 @@ interface(`bootloader_domtrans',`
#
interface(`bootloader_run',`
gen_require(`
- type bootloader_t;
+ attribute_role bootloader_roles;
')
bootloader_domtrans($1)
-
- role $2 types bootloader_t;
-
- ifdef(`distro_redhat',`
- # for mke2fs
- mount_run(bootloader_t, $2)
- ')
+ roleattribute $2 bootloader_roles;
')
########################################
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 1e771ba..5c5bea4 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,10 +1,13 @@
-policy_module(bootloader, 1.12.1)
+policy_module(bootloader, 1.12.2)
########################################
#
# Declarations
#
+attribute_role bootloader_roles;
+roleattribute system_r bootloader_roles;
+
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
@@ -16,7 +19,7 @@ files_type(boot_runtime_t)
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
-role system_r types bootloader_t;
+role bootloader_roles types bootloader_t;
#
# bootloader_etc_t is the configuration file,
@@ -163,7 +166,7 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
- mount_domtrans(bootloader_t)
+ mount_run(bootloader_t, bootloader_roles)
optional_policy(`
unconfined_domain(bootloader_t)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 81fb26f..98b8b2d 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -41,11 +41,11 @@ interface(`usermanage_domtrans_chfn',`
#
interface(`usermanage_run_chfn',`
gen_require(`
- type chfn_t;
+ attribute_role chfn_roles;
')
usermanage_domtrans_chfn($1)
- role $2 types chfn_t;
+ roleattribute $2 chfn_roles;
')
########################################
@@ -90,15 +90,11 @@ interface(`usermanage_domtrans_groupadd',`
#
interface(`usermanage_run_groupadd',`
gen_require(`
- type groupadd_t;
+ attribute_role groupadd_roles;
')
usermanage_domtrans_groupadd($1)
- role $2 types groupadd_t;
-
- optional_policy(`
- nscd_run(groupadd_t, $2)
- ')
+ roleattribute $2 groupadd_roles;
')
########################################
@@ -160,12 +156,11 @@ interface(`usermanage_kill_passwd',`
#
interface(`usermanage_run_passwd',`
gen_require(`
- type passwd_t;
+ attribute_role passwd_roles;
')
usermanage_domtrans_passwd($1)
- role $2 types passwd_t;
- auth_run_chk_passwd(passwd_t, $2)
+ roleattribute $2 passwd_roles;
')
########################################
@@ -208,15 +203,11 @@ interface(`usermanage_domtrans_admin_passwd',`
#
interface(`usermanage_run_admin_passwd',`
gen_require(`
- type sysadm_passwd_t;
+ attribute_role sysadm_passwd_roles;
')
usermanage_domtrans_admin_passwd($1)
- role $2 types sysadm_passwd_t;
-
- optional_policy(`
- nscd_run(sysadm_passwd_t, $2)
- ')
+ roleattribute $2 sysadm_passwd_roles;
')
########################################
@@ -279,17 +270,11 @@ interface(`usermanage_domtrans_useradd',`
#
interface(`usermanage_run_useradd',`
gen_require(`
- type useradd_t;
+ attribute_role useradd_roles;
')
usermanage_domtrans_useradd($1)
- role $2 types useradd_t;
-
- seutil_run_semanage(useradd_t, $2)
-
- optional_policy(`
- nscd_run(useradd_t, $2)
- ')
+ roleattribute $2 useradd_roles;
')
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d4d8533..530c988 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,10 +1,23 @@
-policy_module(usermanage, 1.16.0)
+policy_module(usermanage, 1.16.1)
########################################
#
# Declarations
#
+attribute_role chfn_roles;
+role system_r types chfn_t;
+
+attribute_role groupadd_roles;
+
+attribute_role passwd_roles;
+roleattribute system_r passwd_roles;
+
+attribute_role sysadm_passwd_roles;
+roleattribute system_r sysadm_passwd_roles;
+
+attribute_role useradd_roles;
+
type admin_passwd_exec_t;
files_type(admin_passwd_exec_t)
@@ -12,7 +25,6 @@ type chfn_t;
type chfn_exec_t;
domain_obj_id_change_exemption(chfn_t)
application_domain(chfn_t, chfn_exec_t)
-role system_r types chfn_t;
type crack_t;
type crack_exec_t;
@@ -34,12 +46,12 @@ type passwd_t;
type passwd_exec_t;
domain_obj_id_change_exemption(passwd_t)
application_domain(passwd_t, passwd_exec_t)
-role system_r types passwd_t;
+role passwd_roles types passwd_t;
type sysadm_passwd_t;
domain_obj_id_change_exemption(sysadm_passwd_t)
application_domain(sysadm_passwd_t, admin_passwd_exec_t)
-role system_r types sysadm_passwd_t;
+role sysadm_passwd_roles types sysadm_passwd_t;
type sysadm_passwd_tmp_t;
files_tmp_file(sysadm_passwd_tmp_t)
@@ -88,7 +100,7 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
+auth_run_chk_passwd(chfn_t, chfn_roles)
auth_dontaudit_read_shadow(chfn_t)
auth_use_nsswitch(chfn_t)
@@ -216,7 +228,7 @@ logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
-auth_domtrans_chk_passwd(groupadd_t)
+auth_run_chk_passwd(groupadd_t, groupadd_roles)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
# these may be unnecessary due to the above
@@ -237,7 +249,7 @@ optional_policy(`
')
optional_policy(`
- nscd_domtrans(groupadd_t)
+ nscd_run(groupadd_t, groupadd_roles)
')
optional_policy(`
@@ -294,7 +306,7 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
+auth_run_chk_passwd(passwd_t, passwd_roles)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
@@ -334,7 +346,7 @@ userdom_read_user_tmp_files(passwd_t)
userdom_dontaudit_search_user_home_content(passwd_t)
optional_policy(`
- nscd_domtrans(passwd_t)
+ nscd_run(passwd_t, passwd_roles)
')
########################################
@@ -418,7 +430,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
optional_policy(`
- nscd_domtrans(sysadm_passwd_t)
+ nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
')
########################################
@@ -472,7 +484,7 @@ selinux_compute_user_contexts(useradd_t)
term_use_all_ttys(useradd_t)
term_use_all_ptys(useradd_t)
-auth_domtrans_chk_passwd(useradd_t)
+auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
@@ -493,8 +505,8 @@ miscfiles_read_localization(useradd_t)
seutil_read_config(useradd_t)
seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
-seutil_domtrans_semanage(useradd_t)
-seutil_domtrans_setfiles(useradd_t)
+seutil_run_semanage(useradd_t, useradd_roles)
+seutil_run_setfiles(useradd_t, useradd_roles)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -525,7 +537,7 @@ optional_policy(`
')
optional_policy(`
- nscd_domtrans(useradd_t)
+ nscd_run(useradd_t, useradd_roles)
')
optional_policy(`
diff --git a/policy/modules/contrib b/policy/modules/contrib
index fc3ccf0..ca7f15b 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit fc3ccf09af8cf77666075c8bc93e1bf5d2ede9c1
+Subproject commit ca7f15b944fb865a3d7056467c838c9350c19ab1
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 7ba53db..c42fbc3 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -42,17 +42,11 @@ interface(`iptables_domtrans',`
#
interface(`iptables_run',`
gen_require(`
- type iptables_t;
+ attribute_role iptables_roles;
')
iptables_domtrans($1)
- role $2 types iptables_t;
-
- sysnet_run_ifconfig(iptables_t, $2)
-
- optional_policy(`
- modutils_run_insmod(iptables_t, $2)
- ')
+ roleattribute $2 iptables_roles;
')
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 4f87146..b8361a0 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,14 +1,17 @@
-policy_module(iptables, 1.12.1)
+policy_module(iptables, 1.12.2)
########################################
#
# Declarations
#
+attribute_role iptables_roles;
+roleattribute system_r iptables_roles;
+
type iptables_t;
type iptables_exec_t;
init_system_domain(iptables_t, iptables_exec_t)
-role system_r types iptables_t;
+role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -87,7 +90,7 @@ logging_send_syslog_msg(iptables_t)
miscfiles_read_localization(iptables_t)
-sysnet_domtrans_ifconfig(iptables_t)
+sysnet_run_ifconfig(iptables_t, iptables_roles)
sysnet_dns_name_resolve(iptables_t)
userdom_use_user_terminals(iptables_t)
@@ -107,7 +110,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(iptables_t)
+ modutils_run_insmod(iptables_t, iptables_roles)
')
optional_policy(`
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index b492674..350c450 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -307,13 +307,11 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
- type update_modules_t;
+ attribute_role update_modules_roles;
')
modutils_domtrans_update_mods($1)
- role $2 types update_modules_t;
-
- modutils_run_insmod(update_modules_t, $2)
+ roleattribute $2 update_modules_roles;
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 2e1c522..a8d6741 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,10 +1,12 @@
-policy_module(modutils, 1.11.1)
+policy_module(modutils, 1.11.2)
########################################
#
# Declarations
#
+attribute_role update_modules_roles;
+
type depmod_t;
type depmod_exec_t;
init_system_domain(depmod_t, depmod_exec_t)
@@ -27,7 +29,8 @@ files_type(modules_dep_t)
type update_modules_t;
type update_modules_exec_t;
init_system_domain(update_modules_t, update_modules_exec_t)
-role system_r types update_modules_t;
+roleattribute system_r update_modules_roles;
+role update_modules_roles types update_modules_t;
type update_modules_tmp_t;
files_tmp_file(update_modules_tmp_t)
@@ -290,6 +293,8 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
+modutils_run_insmod(update_modules_t, update_modules_roles)
+
userdom_use_user_terminals(update_modules_t)
userdom_dontaudit_search_user_home_dirs(update_modules_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8b5c196..4584457 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -38,15 +38,11 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
- type mount_t;
+ attribute_role mount_roles;
')
mount_domtrans($1)
- role $2 types mount_t;
-
- optional_policy(`
- samba_run_smbmount($1, $2)
- ')
+ roleattribute $2 mount_roles;
')
########################################
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index ae76fc9..1284081 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.13.0)
+policy_module(mount, 1.13.1)
########################################
#
@@ -12,10 +12,13 @@ policy_module(mount, 1.13.0)
## </desc>
gen_tunable(allow_mount_anyfile, false)
+attribute_role mount_roles;
+roleattribute system_r mount_roles;
+
type mount_t;
type mount_exec_t;
init_system_domain(mount_t, mount_exec_t)
-role system_r types mount_t;
+role mount_roles types mount_t;
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
@@ -194,7 +197,7 @@ optional_policy(`
')
optional_policy(`
- samba_domtrans_smbmount(mount_t)
+ samba_run_smbmount(mount_t, mount_roles)
')
########################################
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..5885571 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,13 +192,11 @@ interface(`seutil_domtrans_newrole',`
#
interface(`seutil_run_newrole',`
gen_require(`
- type newrole_t;
+ attribute_role newrole_roles;
')
seutil_domtrans_newrole($1)
- role $2 types newrole_t;
-
- auth_run_upd_passwd(newrole_t, $2)
+ roleattribute $2 newrole_roles;
')
########################################
@@ -427,15 +425,11 @@ interface(`seutil_init_script_domtrans_runinit',`
#
interface(`seutil_run_runinit',`
gen_require(`
- type run_init_t;
- role system_r;
+ attribute_role run_init_roles;
')
- auth_run_chk_passwd(run_init_t, $2)
seutil_domtrans_runinit($1)
- role $2 types run_init_t;
-
- allow $2 system_r;
+ roleattribute $2 run_init_roles;
')
########################################
@@ -467,15 +461,11 @@ interface(`seutil_run_runinit',`
#
interface(`seutil_init_script_run_runinit',`
gen_require(`
- type run_init_t;
- role system_r;
+ attribute_role run_init_roles;
')
- auth_run_chk_passwd(run_init_t, $2)
seutil_init_script_domtrans_runinit($1)
- role $2 types run_init_t;
-
- allow $2 system_r;
+ roleattribute $2 run_init_roles;
')
########################################
@@ -1027,13 +1017,11 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
- type semanage_t;
+ attribute_role semanage_roles;
')
seutil_domtrans_semanage($1)
- seutil_run_setfiles(semanage_t, $2)
- seutil_run_loadpolicy(semanage_t, $2)
- role $2 types semanage_t;
+ roleattribute $2 semanage_roles;
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index d7855d3..df6d458 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.15.4)
+policy_module(selinuxutil, 1.15.5)
gen_require(`
bool secure_mode;
@@ -12,6 +12,14 @@ gen_require(`
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
+attribute_role newrole_roles;
+
+attribute_role run_init_roles;
+role system_r types run_init_t;
+
+attribute_role semanage_roles;
+roleattribute system_r semanage_roles;
+
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -83,13 +91,12 @@ type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
-role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
-role system_r types semanage_t;
+role semanage_roles types semanage_t;
type semanage_store_t;
files_type(semanage_store_t)
@@ -268,8 +275,8 @@ term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
auth_use_nsswitch(newrole_t)
-auth_domtrans_chk_passwd(newrole_t)
-auth_domtrans_upd_passwd(newrole_t)
+auth_run_chk_passwd(newrole_t, newrole_roles)
+auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t)
# Write to utmp.
@@ -357,6 +364,8 @@ optional_policy(`
# Run_init local policy
#
+allow run_init_roles system_r;
+
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -388,8 +397,8 @@ selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
auth_use_nsswitch(run_init_t)
-auth_domtrans_chk_passwd(run_init_t)
-auth_domtrans_upd_passwd(run_init_t)
+auth_run_chk_passwd(run_init_t, run_init_roles)
+auth_run_upd_passwd(run_init_t, run_init_roles)
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
@@ -481,8 +490,8 @@ miscfiles_read_localization(semanage_t)
seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
-seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
+seutil_run_setfiles(semanage_t, semanage_roles)
+seutil_run_loadpolicy(semanage_t, semanage_roles)
seutil_manage_bin_policy(semanage_t)
seutil_use_newrole_fds(semanage_t)
seutil_manage_module_store(semanage_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 1a76298..363e98d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,28 +38,11 @@ interface(`sysnet_domtrans_dhcpc',`
#
interface(`sysnet_run_dhcpc',`
gen_require(`
- type dhcpc_t;
+ attribute_role dhcpc_roles;
')
sysnet_domtrans_dhcpc($1)
- role $2 types dhcpc_t;
-
- modutils_run_insmod(dhcpc_t, $2)
-
- sysnet_run_ifconfig(dhcpc_t, $2)
-
- optional_policy(`
- consoletype_run(dhcpc_t, $2)
- ')
-
- optional_policy(`
- hostname_run(dhcpc_t, $2)
- ')
-
- optional_policy(`
- netutils_run(dhcpc_t, $2)
- netutils_run_ping(dhcpc_t, $2)
- ')
+ roleattribute $2 dhcpc_roles;
')
########################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 2b94543..c4154fd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,10 +1,13 @@
-policy_module(sysnetwork, 1.12.2)
+policy_module(sysnetwork, 1.12.3)
########################################
#
# Declarations
#
+attribute_role dhcpc_roles;
+roleattribute system_r dhcpc_roles;
+
# this is shared between dhcpc and dhcpd:
type dhcp_etc_t;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
@@ -17,7 +20,7 @@ files_type(dhcp_state_t)
type dhcpc_t;
type dhcpc_exec_t;
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
-role system_r types dhcpc_t;
+role dhcpc_roles types dhcpc_t;
type dhcpc_state_t;
files_type(dhcpc_state_t)
@@ -76,9 +79,6 @@ files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
can_exec(dhcpc_t, dhcpc_exec_t)
-# transition to ifconfig
-domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
-
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_search_network_sysctl(dhcpc_t)
@@ -136,7 +136,9 @@ logging_send_syslog_msg(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_domtrans_insmod(dhcpc_t)
+modutils_run_insmod(dhcpc_t, dhcpc_roles)
+
+sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
@@ -152,7 +154,7 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
- consoletype_domtrans(dhcpc_t)
+ consoletype_run(dhcpc_t, dhcpc_roles)
')
optional_policy(`
@@ -167,7 +169,7 @@ optional_policy(`
')
optional_policy(`
- hostname_domtrans(dhcpc_t)
+ hostname_run(dhcpc_t, dhcpc_roles)
')
optional_policy(`
@@ -185,8 +187,8 @@ optional_policy(`
# for the dhcp client to run ping to check IP addresses
optional_policy(`
- netutils_domtrans_ping(dhcpc_t)
- netutils_domtrans(dhcpc_t)
+ netutils_run_ping(dhcpc_t, dhcpc_roles)
+ netutils_run(dhcpc_t, dhcpc_roles)
',`
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
index 20ffa6c..601c4f7 100644
--- a/support/comment_move_decl.sed
+++ b/support/comment_move_decl.sed
@@ -5,7 +5,7 @@
/require \{/,/} # end require/b nextline
/optional \{/,/} # end optional/b nextline
-/^[[:blank:]]*(attribute|type(alias)?) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
index a113f21..69c6ccd 100644
--- a/support/get_type_attr_decl.sed
+++ b/support/get_type_attr_decl.sed
@@ -5,7 +5,7 @@
/require \{/,/} # end require/b nextline
/optional \{/,/} # end optional/b nextline
-/^[[:blank:]]*(attribute|type(alias)?|bool) /{
+/^[[:blank:]]*(attribute(_role)?|type(alias)?|bool) /{
s/^[[:blank:]]+//
p
}
hooks/post-receive
--
refpolicy
More information about the Refpolicy-commits
mailing list