Blob Blame History Raw
commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 02:18:29 2012 +0200

    roleattribute patch

diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 4a50807..5e914db 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -56,11 +56,21 @@ interface(`bootloader_exec',`
 #
 interface(`bootloader_run',`
 	gen_require(`
-		attribute_role bootloader_roles;
+		type bootloader_t;
+		#attribute_role bootloader_roles;
 	')
 
+	#bootloader_domtrans($1)
+	#roleattribute $2 bootloader_roles;
+
 	bootloader_domtrans($1)
-	roleattribute $2 bootloader_roles;
+
+        role $2 types bootloader_t;
+
+        ifdef(`distro_redhat',`
+                # for mke2fs
+		mount_run(bootloader_t, $2)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 81a08e4..e717a21 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
 # Declarations
 #
 
-attribute_role bootloader_roles;
-roleattribute system_r bootloader_roles;
+#attribute_role bootloader_roles;
+#roleattribute system_r bootloader_roles;
 
 #
 # boot_runtime_t is the type for /boot/kernel.h,
@@ -19,7 +19,8 @@ files_type(boot_runtime_t)
 type bootloader_t;
 type bootloader_exec_t;
 application_domain(bootloader_t, bootloader_exec_t)
-role bootloader_roles types bootloader_t;
+#role bootloader_roles types bootloader_t;
+role system_r types bootloader_t;
 
 #
 # bootloader_etc_t is the configuration file,
@@ -174,7 +175,8 @@ ifdef(`distro_redhat',`
 	files_manage_isid_type_chr_files(bootloader_t)
 
 	# for mke2fs
-	mount_run(bootloader_t, bootloader_roles)
+	#mount_run(bootloader_t, bootloader_roles)
+	mount_domtrans(bootloader_t)
 
 	optional_policy(`
 		unconfined_domain(bootloader_t)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 4d387af..764260e 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
-		attribute_role chfn_roles;
+		#attribute_role chfn_roles;
+		type chfn_t;
 	')
 
+	#usermanage_domtrans_chfn($1)
+	#roleattribute $2 chfn_roles;
+
 	usermanage_domtrans_chfn($1)
-	roleattribute $2 chfn_roles;
+        role $2 types chfn_t;
+
 ')
 
 ########################################
@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',`
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
-		attribute_role groupadd_roles;
+		type groupadd_t;
+		#attribute_role groupadd_roles;
 	')
 
+	#usermanage_domtrans_groupadd($1)
+	#roleattribute $2 groupadd_roles;
 	usermanage_domtrans_groupadd($1)
-	roleattribute $2 groupadd_roles;
+        role $2 types groupadd_t;
+
+        optional_policy(`
+                nscd_run(groupadd_t, $2)
+        ')
+
 ')
 
 ########################################
@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',`
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
-		attribute_role passwd_roles;
+		type type passwd_t;
+		#attribute_role passwd_roles;
 	')
 
+	#usermanage_domtrans_passwd($1)
+	#roleattribute $2 passwd_roles;
+
 	usermanage_domtrans_passwd($1)
-	roleattribute $2 passwd_roles;
+        role $2 types passwd_t;
+        auth_run_chk_passwd(passwd_t, $2)
+
 ')
 
 ########################################
@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',`
 #
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
-		attribute_role sysadm_passwd_roles;
+		type sysadm_passwd_t;
+		#attribute_role sysadm_passwd_roles;
 	')
 
+	#usermanage_domtrans_admin_passwd($1)
+	#roleattribute $2 sysadm_passwd_roles;
+
 	usermanage_domtrans_admin_passwd($1)
-	roleattribute $2 sysadm_passwd_roles;
+        role $2 types sysadm_passwd_t;
+
+        optional_policy(`
+                nscd_run(sysadm_passwd_t, $2)
+        ')
+
 ')
 
 ########################################
@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',`
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
-		attribute_role useradd_roles;
+		#attribute_role useradd_roles;
+		type sysadm_passwd_t;
 	')
 
-	usermanage_domtrans_useradd($1)
-	roleattribute $2 useradd_roles;
+	#usermanage_domtrans_useradd($1)
+	#roleattribute $2 useradd_roles;
+
+	usermanage_domtrans_admin_passwd($1)
+        role $2 types sysadm_passwd_t;
+
+        optional_policy(`
+                nscd_run(sysadm_passwd_t, $2)
+        ')
+
 ')
 
 ########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 446b743..a077b28 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
 # Declarations
 #
 
-attribute_role chfn_roles;
-role system_r types chfn_t;
+#attribute_role chfn_roles;
+#role system_r types chfn_t;
 
-attribute_role groupadd_roles;
+#attribute_role groupadd_roles;
 
-attribute_role passwd_roles;
-roleattribute system_r passwd_roles;
+#attribute_role passwd_roles;
+#roleattribute system_r passwd_roles;
 
-attribute_role sysadm_passwd_roles;
-roleattribute system_r sysadm_passwd_roles;
+#attribute_role sysadm_passwd_roles;
+#roleattribute system_r sysadm_passwd_roles;
 
-attribute_role useradd_roles;
+#attribute_role useradd_roles;
 
 type admin_passwd_exec_t;
 files_type(admin_passwd_exec_t)
@@ -25,7 +25,8 @@ type chfn_t;
 type chfn_exec_t;
 domain_obj_id_change_exemption(chfn_t)
 application_domain(chfn_t, chfn_exec_t)
-role chfn_roles types chfn_t;
+#role chfn_roles types chfn_t;
+role system_r types chfn_t;
 
 type crack_t;
 type crack_exec_t;
@@ -42,18 +43,21 @@ type groupadd_t;
 type groupadd_exec_t;
 domain_obj_id_change_exemption(groupadd_t)
 init_system_domain(groupadd_t, groupadd_exec_t)
-role groupadd_roles types groupadd_t;
+#role groupadd_roles types groupadd_t;
+
 
 type passwd_t;
 type passwd_exec_t;
 domain_obj_id_change_exemption(passwd_t)
 application_domain(passwd_t, passwd_exec_t)
-role passwd_roles types passwd_t;
+#role passwd_roles types passwd_t;
+role system_r types passwd_t;
 
 type sysadm_passwd_t;
 domain_obj_id_change_exemption(sysadm_passwd_t)
 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
-role sysadm_passwd_roles types sysadm_passwd_t;
+#role sysadm_passwd_roles types sysadm_passwd_t;
+role system_r types sysadm_passwd_t;
 
 type sysadm_passwd_tmp_t;
 files_tmp_file(sysadm_passwd_tmp_t)
@@ -62,7 +66,8 @@ type useradd_t;
 type useradd_exec_t;
 domain_obj_id_change_exemption(useradd_t)
 init_system_domain(useradd_t, useradd_exec_t)
-role useradd_roles types useradd_t;
+#role useradd_roles types useradd_t;
+role system_r types useradd_t;
 
 ########################################
 #
@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t)
 dev_read_urand(chfn_t)
 dev_dontaudit_getattr_all(chfn_t)
 
-#auth_manage_passwd(chfn_t)
-#auth_use_pam(chfn_t)
-auth_run_chk_passwd(chfn_t, chfn_roles)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_manage_passwd(chfn_t)
+auth_use_pam(chfn_t)
+#auth_run_chk_passwd(chfn_t, chfn_roles)
+#auth_dontaudit_read_shadow(chfn_t)
+#auth_use_nsswitch(chfn_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t)
 
 miscfiles_read_localization(groupadd_t)
 
-auth_run_chk_passwd(groupadd_t, groupadd_roles)
+#auth_run_chk_passwd(groupadd_t, groupadd_roles)
+auth_domtrans_chk_passwd(groupadd_t)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
 auth_manage_passwd(groupadd_t)
@@ -273,7 +279,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_run(groupadd_t, groupadd_roles)
+#	nscd_run(groupadd_t, groupadd_roles)
+	nscd_domtrans(groupadd_t)
 ')
 
 optional_policy(`
@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t)
 term_use_all_inherited_terms(passwd_t)
 term_getattr_all_ptys(passwd_t)
 
-#auth_manage_passwd(passwd_t)
-#auth_manage_shadow(passwd_t)
-#auth_relabel_shadow(passwd_t)
-#auth_etc_filetrans_shadow(passwd_t)
-#auth_use_pam(passwd_t)
-
-auth_run_chk_passwd(passwd_t, passwd_roles)
 auth_manage_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
+
+#auth_run_chk_passwd(passwd_t, passwd_roles)
+#auth_manage_passwd(passwd_t)
+#auth_manage_shadow(passwd_t)
+#auth_relabel_shadow(passwd_t)
+#auth_etc_filetrans_shadow(passwd_t)
+#auth_use_nsswitch(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)
@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t)
 userdom_stream_connect(passwd_t)
 
 optional_policy(`
-	nscd_run(passwd_t, passwd_roles)
+	#nscd_run(passwd_t, passwd_roles)
+	nscd_domtrans(passwd_t)
 ')
 
 ########################################
@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 
 optional_policy(`
-	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+	nscd_domtrans(sysadm_passwd_t)
+	#nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
 ')
 
 ########################################
@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t)
 term_use_all_inherited_terms(useradd_t)
 term_getattr_all_ptys(useradd_t)
 
-auth_run_chk_passwd(useradd_t, useradd_roles)
+#auth_run_chk_passwd(useradd_t, useradd_roles)
+auth_domtrans_chk_passwd(useradd_t)
 auth_rw_lastlog(useradd_t)
 auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t)
 seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 seutil_read_default_contexts(useradd_t)
-#seutil_domtrans_semanage(useradd_t)
-#seutil_domtrans_setfiles(useradd_t)
-#seutil_domtrans_loadpolicy(useradd_t)
-#seutil_manage_bin_policy(useradd_t)
-#seutil_manage_module_store(useradd_t)
-#seutil_get_semanage_trans_lock(useradd_t)
-#seutil_get_semanage_read_lock(useradd_t)
-seutil_run_semanage(useradd_t, useradd_roles)
-seutil_run_setfiles(useradd_t, useradd_roles)
+seutil_domtrans_semanage(useradd_t)
+seutil_domtrans_setfiles(useradd_t)
+seutil_domtrans_loadpolicy(useradd_t)
+seutil_manage_bin_policy(useradd_t)
+seutil_manage_module_store(useradd_t)
+seutil_get_semanage_trans_lock(useradd_t)
+seutil_get_semanage_read_lock(useradd_t)
+#seutil_run_semanage(useradd_t, useradd_roles)
+#seutil_run_setfiles(useradd_t, useradd_roles)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
@@ -576,7 +586,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_run(useradd_t, useradd_roles)
+	nscd_domtrans(useradd_t)
+#	nscd_run(useradd_t, useradd_roles)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 174cfdb..7071460 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -38,11 +38,22 @@ interface(`iptables_domtrans',`
 #
 interface(`iptables_run',`
 	gen_require(`
-		attribute_role iptables_roles;
+		#attribute_role iptables_roles;
+		type iptables_t;
 	')
 
+	#iptables_domtrans($1)
+	#roleattribute $2 iptables_roles;
+
 	iptables_domtrans($1)
-	roleattribute $2 iptables_roles;
+        role $2 types iptables_t;
+
+        sysnet_run_ifconfig(iptables_t, $2)
+
+        optional_policy(`
+                modutils_run_insmod(iptables_t, $2)
+        ')
+
 ')
 
 ########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index cc8d773..36e02fa 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0)
 # Declarations
 #
 
-attribute_role iptables_roles;
-roleattribute system_r iptables_roles;
+#attribute_role iptables_roles;
+#roleattribute system_r iptables_roles;
 
 type iptables_t;
 type iptables_exec_t;
 init_system_domain(iptables_t, iptables_exec_t)
-role iptables_roles types iptables_t;
+#role iptables_roles types iptables_t;
+role system_r types iptables_t;
 
 type iptables_initrc_exec_t;
 init_script_file(iptables_initrc_exec_t)
@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t)
 
 miscfiles_read_localization(iptables_t)
 
-sysnet_run_ifconfig(iptables_t, iptables_roles)
+#sysnet_run_ifconfig(iptables_t, iptables_roles)
+sysnet_domtrans_ifconfig(iptables_t)
 sysnet_dns_name_resolve(iptables_t)
 
 userdom_use_inherited_user_terminals(iptables_t)
@@ -119,7 +121,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	modutils_run_insmod(iptables_t, iptables_roles)
+	modutils_domtrans_insmod(iptables_t)
+	#modutils_run_insmod(iptables_t, iptables_roles)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 786f87a..2debedc 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
 #
 interface(`modutils_run_update_mods',`
 	gen_require(`
-		attribute_role update_modules_roles;
+		#attribute_role update_modules_roles;
+		type update_modules_t;
 	')
 
+	#modutils_domtrans_update_mods($1)
+	#roleattribute $2 update_modules_roles;
+
 	modutils_domtrans_update_mods($1)
-	roleattribute $2 update_modules_roles;
+	role $2 types update_modules_t;
+
+	modutils_run_insmod(update_modules_t, $2)
+
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b83608d..86a7107 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1)
 # Declarations
 #
 
-attribute_role update_modules_roles;
+#attribute_role update_modules_roles;
 
 type depmod_t;
 type depmod_exec_t;
@@ -30,8 +30,9 @@ files_type(modules_dep_t)
 type update_modules_t;
 type update_modules_exec_t;
 init_system_domain(update_modules_t, update_modules_exec_t)
-roleattribute system_r update_modules_roles;
-role update_modules_roles types update_modules_t;
+#roleattribute system_r update_modules_roles;
+#role update_modules_roles types update_modules_t;
+role system_r types update_modules_t;
 
 type update_modules_tmp_t;
 files_tmp_file(update_modules_tmp_t)
@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
 
 miscfiles_read_localization(update_modules_t)
 
-modutils_run_insmod(update_modules_t, update_modules_roles)
+#modutils_run_insmod(update_modules_t, update_modules_roles)
 
 userdom_use_inherited_user_terminals(update_modules_t)
 userdom_dontaudit_search_user_home_dirs(update_modules_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 52e78b8..4881d86 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -44,11 +44,36 @@ interface(`mount_domtrans',`
 #
 interface(`mount_run',`
 	gen_require(`
-		attribute_role mount_roles;
+		#attribute_role mount_roles;
+		type mount_t;
 	')
 
+	#mount_domtrans($1)
+	#roleattribute $2 mount_roles;
+
 	mount_domtrans($1)
-	roleattribute $2 mount_roles;
+        role $2 types mount_t;
+
+        optional_policy(`
+                fstools_run(mount_t, $2)
+        ')
+
+	optional_policy(`
+                lvm_run(mount_t, $2)
+        ')
+
+        optional_policy(`
+                modutils_run_insmod(mount_t, $2)
+        ')
+
+        optional_policy(`
+                rpc_run_rpcd(mount_t, $2)
+        ')
+
+        optional_policy(`
+                samba_run_smbmount(mount_t, $2)
+        ')
+
 ')
 
 ########################################
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index cc76452..14320fe 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2)
 ## </desc>
 gen_tunable(allow_mount_anyfile, false)
 
-attribute_role mount_roles;
-roleattribute system_r mount_roles;
+#attribute_role mount_roles;
+#roleattribute system_r mount_roles;
 
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t, mount_exec_t)
-role mount_roles types mount_t;
+#role mount_roles types mount_t;
+role system_r types mount_t;
 
 type fusermount_exec_t;
 domain_entry_file(mount_t, fusermount_exec_t)
@@ -286,25 +287,28 @@ optional_policy(`
 
 # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
 optional_policy(`
-	lvm_run(mount_t, mount_roles)
+#	lvm_run(mount_t, mount_roles)
+	lvm_domtrans(mount_t)
 ')
 
 optional_policy(`
-	modutils_run_insmod(mount_t, mount_roles)
+	#modutils_run_insmod(mount_t, mount_roles)
+	modutils_domtrans_insmod(mount_t)
 	modutils_read_module_deps(mount_t)
 ')
 
 optional_policy(`
-	fstools_run(mount_t, mount_roles)
+	fstools_domtrans(mount_t)
+	#fstools_run(mount_t, mount_roles)
 ')
 
 optional_policy(`
 	rhcs_stream_connect_gfs_controld(mount_t)
 ')
 
-optional_policy(`
-	rpc_run_rpcd(mount_t, mount_roles)
-')
+#optional_policy(`
+#	rpc_run_rpcd(mount_t, mount_roles)
+#')
 
 # for kernel package installation
 optional_policy(`
@@ -314,7 +318,8 @@ optional_policy(`
 
 optional_policy(`
 	samba_read_config(mount_t)
-	samba_run_smbmount(mount_t, mount_roles)
+	samba_domtrans_smbmount(mount_t)
+	#samba_run_smbmount(mount_t, mount_roles)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index a853819..cebf588 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
-		attribute_role newrole_roles;
+		type newrole_t;
+		#attribute_role newrole_roles;
 	')
 
+	#seutil_domtrans_newrole($1)
+	#roleattribute $2 newrole_roles;
+
 	seutil_domtrans_newrole($1)
-	roleattribute $2 newrole_roles;
+        role $2 types newrole_t;
+
+        auth_run_upd_passwd(newrole_t, $2)
+
+        optional_policy(`
+                namespace_init_run(newrole_t, $2)
+        ')
+
 ')
 
 ########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2aee0c0..4c24e3e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy;
 attribute setfiles_domain;
 attribute seutil_semanage_domain;
 
-attribute_role newrole_roles;
+#attribute_role newrole_roles;
 
 attribute_role run_init_roles;
 role system_r types run_init_t;
@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t)
 domain_role_change_exemption(newrole_t)
 domain_obj_id_change_exemption(newrole_t)
 domain_interactive_fd(newrole_t)
-role newrole_roles types newrole_t;
+#role newrole_roles types newrole_t;
+role system_r types newrole_t;
 
 #
 # policy_config_t is the type of /etc/security/selinux/*
@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t)
 term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
 
-auth_use_nsswitch(newrole_t)
-auth_run_chk_passwd(newrole_t, newrole_roles)
-auth_run_upd_passwd(newrole_t, newrole_roles)
-auth_rw_faillog(newrole_t)
+#auth_use_nsswitch(newrole_t)
+#auth_run_chk_passwd(newrole_t, newrole_roles)
+#auth_run_upd_passwd(newrole_t, newrole_roles)
+#auth_rw_faillog(newrole_t)
+auth_use_pam(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
@@ -322,9 +324,9 @@ optional_policy(`
     dbus_system_bus_client(newrole_t)
 ')
 
-optional_policy(`
-	namespace_init_run(newrole_t, newrole_roles)
-')
+#optional_policy(`
+#	namespace_init_run(newrole_t, newrole_roles)
+#')
 
 
 optional_policy(`
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 7b08f77..949fdcc 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
 #
 interface(`sysnet_run_dhcpc',`
 	gen_require(`
-		attribute_role dhcpc_roles;
+		type dhcpc_t;
+		#attribute_role dhcpc_roles;
 	')
 
+	#sysnet_domtrans_dhcpc($1)
+	#roleattribute $2 dhcpc_roles;
+
 	sysnet_domtrans_dhcpc($1)
-	roleattribute $2 dhcpc_roles;
+        role $2 types dhcpc_t;
+
+        modutils_run_insmod(dhcpc_t, $2)
+
+        sysnet_run_ifconfig(dhcpc_t, $2)
+
+        optional_policy(`
+                hostname_run(dhcpc_t, $2)
+        ')
+
+        optional_policy(`
+                netutils_run(dhcpc_t, $2)
+                netutils_run_ping(dhcpc_t, $2)
+        ')
+
+        optional_policy(`
+                networkmanager_run(dhcpc_t, $2)
+        ')
+
+        optional_policy(`
+                nis_run_ypbind(dhcpc_t, $2)
+        ')
+
+        optional_policy(`
+                nscd_run(dhcpc_t, $2)
+        ')
+
+        optional_policy(`
+                ntp_run(dhcpc_t, $2)
+        ')
+
+        seutil_run_setfiles(dhcpc_t, $2)
+
 ')
 
 ########################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 2d2b6ef..1bfcd4f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2)
 ## </desc>
 gen_tunable(dhcpc_exec_iptables, false)
 
-attribute_role dhcpc_roles;
-roleattribute system_r dhcpc_roles;
+#attribute_role dhcpc_roles;
+#roleattribute system_r dhcpc_roles;
 
 # this is shared between dhcpc and dhcpd:
 type dhcp_etc_t;
@@ -27,7 +27,8 @@ files_type(dhcp_state_t)
 type dhcpc_t;
 type dhcpc_exec_t;
 init_daemon_domain(dhcpc_t, dhcpc_exec_t)
-role dhcpc_roles types dhcpc_t;
+#role dhcpc_roles types dhcpc_t;
+role system_r types dhcpc_t;
 
 type dhcpc_helper_exec_t;
 init_script_file(dhcpc_helper_exec_t)
@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t)
 miscfiles_read_generic_certs(dhcpc_t)
 miscfiles_read_localization(dhcpc_t)
 
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
+#modutils_run_insmod(dhcpc_t, dhcpc_roles)
+modutils_domtrans_insmod(dhcpc_t)
+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
 
-sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
 
 userdom_use_user_terminals(dhcpc_t)
 userdom_dontaudit_search_user_home_dirs(dhcpc_t)
@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
-optional_policy(`
-	consoletype_run(dhcpc_t, dhcpc_roles)
-')
+#optional_policy(`
+#	consoletype_run(dhcpc_t, dhcpc_roles)
+#')
 
 optional_policy(`
 	chronyd_initrc_domtrans(dhcpc_t)
@@ -203,7 +205,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hostname_run(dhcpc_t, dhcpc_roles)
+	hostname_domtrans(dhcpc_t)
+#	hostname_run(dhcpc_t, dhcpc_roles)
 ')
 
 optional_policy(`
commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 02:26:53 2012 +0200

    roleattribute patch for passwd_t

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 764260e..da75471 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',`
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
-		type type passwd_t;
+		type passwd_t;
 		#attribute_role passwd_roles;
 	')
 
commit 0b71245f63ddbb6ca00790fa5318db798286d8d8
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 02:38:28 2012 +0200

    Fix also for sysnetwork.te

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 1bfcd4f..3a94d52 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -226,8 +226,10 @@ optional_policy(`
 
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`
-	netutils_run_ping(dhcpc_t, dhcpc_roles)
-	netutils_run(dhcpc_t, dhcpc_roles)
+	#netutils_run_ping(dhcpc_t, dhcpc_roles)
+	#netutils_run(dhcpc_t, dhcpc_roles)
+	netutils_domtrans_ping(dhcpc_t)
+        netutils_domtrans(dhcpc_t
 ',`
 	allow dhcpc_t self:capability setuid;
 	allow dhcpc_t self:rawip_socket create_socket_perms;
commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 02:41:48 2012 +0200

    Other

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3a94d52..6a6f03f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -229,7 +229,7 @@ optional_policy(`
 	#netutils_run_ping(dhcpc_t, dhcpc_roles)
 	#netutils_run(dhcpc_t, dhcpc_roles)
 	netutils_domtrans_ping(dhcpc_t)
-        netutils_domtrans(dhcpc_t
+        netutils_domtrans(dhcpc_t)
 ',`
 	allow dhcpc_t self:capability setuid;
 	allow dhcpc_t self:rawip_socket create_socket_perms;
commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 08:10:01 2012 +0200

    Fix passwd

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a077b28..396909c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t)
 mls_file_upgrade(useradd_t)
 mls_process_read_to_clearance(useradd_t)
 
-seutil_semanage_policy(useradd_t)
-seutil_manage_file_contexts(useradd_t)
-seutil_manage_config(useradd_t)
-seutil_manage_default_contexts(useradd_t)
-
 term_use_all_inherited_terms(useradd_t)
 term_getattr_all_ptys(useradd_t)
 
@@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t)
 
 miscfiles_read_localization(useradd_t)
 
+seutil_semanage_policy(useradd_t)
+seutil_manage_file_contexts(useradd_t)
+seutil_manage_config(useradd_t)
+seutil_manage_default_contexts(useradd_t)
+
 seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 seutil_read_default_contexts(useradd_t)
 seutil_domtrans_semanage(useradd_t)
 seutil_domtrans_setfiles(useradd_t)
 seutil_domtrans_loadpolicy(useradd_t)
-seutil_manage_bin_policy(useradd_t)
-seutil_manage_module_store(useradd_t)
+#seutil_manage_bin_policy(useradd_t)
+#seutil_manage_module_store(useradd_t)
 seutil_get_semanage_trans_lock(useradd_t)
 seutil_get_semanage_read_lock(useradd_t)
 #seutil_run_semanage(useradd_t, useradd_roles)
commit db92f5bcb6fe7f86aae12dffe64ec3d920815343
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 08:30:34 2012 +0200

    Also for semanage_roles

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index cebf588..7e38077 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',`
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
-		attribute_role semanage_roles;
+		#attribute_role semanage_roles;
+		type semanage_t;
 	')
 
+	#seutil_domtrans_semanage($1)
+	#roleattribute $2 semanage_roles;
+
 	seutil_domtrans_semanage($1)
-	roleattribute $2 semanage_roles;
+        seutil_run_setfiles(semanage_t, $2)
+        seutil_run_loadpolicy(semanage_t, $2)
+        role $2 types semanage_t;
+
 ')
 
 ########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4c24e3e..90498cd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -19,8 +19,8 @@ attribute seutil_semanage_domain;
 attribute_role run_init_roles;
 role system_r types run_init_t;
 
-attribute_role semanage_roles;
-roleattribute system_r semanage_roles;
+#attribute_role semanage_roles;
+#roleattribute system_r semanage_roles;
 
 #
 # selinux_config_t is the type applied to
@@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t)
 dbus_system_domain(semanage_t, semanage_exec_t)
 init_daemon_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
-role semanage_roles types semanage_t;
+#role semanage_roles types semanage_t;
+role system_r types semanage_t;
 
 type setsebool_t;
 type setsebool_exec_t;
@@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t)
 
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_config(semanage_t)
-
-seutil_run_setfiles(semanage_t, semanage_roles)
-seutil_run_loadpolicy(semanage_t, semanage_roles)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+seutil_domtrans_setfiles(semanage_t)
+
+#seutil_run_setfiles(semanage_t, semanage_roles)
+#seutil_run_loadpolicy(semanage_t, semanage_roles)
+#seutil_manage_bin_policy(semanage_t)
+#seutil_use_newrole_fds(semanage_t)
+#seutil_manage_module_store(semanage_t)
+#seutil_get_semanage_trans_lock(semanage_t)
+#seutil_get_semanage_read_lock(semanage_t)
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
 
commit aebf9204ec2a7cfb943327eb3aace2a9b4130769
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 08:38:22 2012 +0200

    run_init roles

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 7e38077..6903c5e 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
-		attribute_role run_init_roles;
+		#attribute_role run_init_roles;
+		type run_init_t;
+                role system_r;
 	')
 
-	seutil_domtrans_runinit($1)
-	roleattribute $2 run_init_roles;
+	#seutil_domtrans_runinit($1)
+	#roleattribute $2 run_init_roles;
+
+	        auth_run_chk_passwd(run_init_t, $2)
+        seutil_domtrans_runinit($1)
+        role $2 types run_init_t;
+
+        allow $2 system_r;
+
 ')
 
 ########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 90498cd..06b4e9a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -16,8 +16,8 @@ attribute seutil_semanage_domain;
 
 #attribute_role newrole_roles;
 
-attribute_role run_init_roles;
-role system_r types run_init_t;
+#attribute_role run_init_roles;
+#role system_r types run_init_t;
 
 #attribute_role semanage_roles;
 #roleattribute system_r semanage_roles;
@@ -102,7 +102,8 @@ type run_init_t;
 type run_init_exec_t;
 application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
-role run_init_roles types run_init_t;
+#role run_init_roles types run_init_t;
+role system_r types run_init_t;
 
 type semanage_t;
 type semanage_exec_t;
@@ -412,7 +413,7 @@ optional_policy(`
 # Run_init local policy
 #
 
-allow run_init_roles system_r;
+#allow run_init_roles system_r;
 
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
@@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t)
 
 term_use_console(run_init_t)
 
+#auth_use_nsswitch(run_init_t)
+#auth_run_chk_passwd(run_init_t, run_init_roles)
+#auth_run_upd_passwd(run_init_t, run_init_roles)
+#auth_dontaudit_read_shadow(run_init_t)
+
 auth_use_nsswitch(run_init_t)
-auth_run_chk_passwd(run_init_t, run_init_roles)
-auth_run_upd_passwd(run_init_t, run_init_roles)
+auth_domtrans_chk_passwd(run_init_t)
+auth_domtrans_upd_passwd(run_init_t)
 auth_dontaudit_read_shadow(run_init_t)
 
+
 init_spec_domtrans_script(run_init_t)
 # for utmp
 init_rw_utmp(run_init_t)
commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 10:01:51 2012 +0200

    One more for run_init

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 6903c5e..b64a37a 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -502,11 +502,19 @@ interface(`seutil_run_runinit',`
 #
 interface(`seutil_init_script_run_runinit',`
 	gen_require(`
-		attribute_role run_init_roles;
+		#attribute_role run_init_roles;
+		type run_init_t;
+                role system_r;
 	')
 
-	seutil_init_script_domtrans_runinit($1)
-	roleattribute $2 run_init_roles;
+	#seutil_init_script_domtrans_runinit($1)
+	#roleattribute $2 run_init_roles;
+	        auth_run_chk_passwd(run_init_t, $2)
+        seutil_init_script_domtrans_runinit($1)
+        role $2 types run_init_t;
+
+        allow $2 system_r;
+
 ')
 
 ########################################