From c87e150280bde84f677f96a57f292cb869f2cfa3 Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: Aug 09 2010 13:20:31 +0000 Subject: roles patch from Dan Walsh to move unwanted interface calls into a ifndef --- diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 30754e4..a589c55 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -19,151 +19,152 @@ optional_policy(` ') optional_policy(` - auth_role(staff_r, staff_t) -') - -optional_policy(` auditadm_role_change(staff_r) ') optional_policy(` - bluetooth_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') optional_policy(` - cdrecord_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` - cron_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` - dbus_role_template(staff, staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` - evolution_role(staff_r, staff_t) + sysadm_role_change(staff_r) + userdom_dontaudit_use_user_terminals(staff_t) ') optional_policy(` - games_role(staff_r, staff_t) + xserver_role(staff_r, staff_t) ') -optional_policy(` - gift_role(staff_r, staff_t) -') +ifndef(`distro_redhat',` + optional_policy(` + auth_role(staff_r, staff_t) + ') -optional_policy(` - gnome_role(staff_r, staff_t) -') + optional_policy(` + bluetooth_role(staff_r, staff_t) + ') -optional_policy(` - gpg_role(staff_r, staff_t) -') + optional_policy(` + cdrecord_role(staff_r, staff_t) + ') -optional_policy(` - irc_role(staff_r, staff_t) -') + optional_policy(` + cron_role(staff_r, staff_t) + ') -optional_policy(` - java_role(staff_r, staff_t) -') + optional_policy(` + dbus_role_template(staff, staff_r, staff_t) + ') -optional_policy(` - lockdev_role(staff_r, staff_t) -') + optional_policy(` + evolution_role(staff_r, staff_t) + ') -optional_policy(` - lpd_role(staff_r, staff_t) -') + optional_policy(` + games_role(staff_r, staff_t) + ') -optional_policy(` - mozilla_role(staff_r, staff_t) -') + optional_policy(` + gift_role(staff_r, staff_t) + ') -optional_policy(` - mplayer_role(staff_r, staff_t) -') + optional_policy(` + gnome_role(staff_r, staff_t) + ') -optional_policy(` - mta_role(staff_r, staff_t) -') + optional_policy(` + gpg_role(staff_r, staff_t) + ') -optional_policy(` - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) -') + optional_policy(` + irc_role(staff_r, staff_t) + ') -optional_policy(` - postgresql_role(staff_r, staff_t) -') + optional_policy(` + java_role(staff_r, staff_t) + ') -optional_policy(` - pyzor_role(staff_r, staff_t) -') + optional_policy(` + lockdev_role(staff_r, staff_t) + ') -optional_policy(` - razor_role(staff_r, staff_t) -') + optional_policy(` + lpd_role(staff_r, staff_t) + ') -optional_policy(` - rssh_role(staff_r, staff_t) -') + optional_policy(` + mozilla_role(staff_r, staff_t) + ') -optional_policy(` - screen_role_template(staff, staff_r, staff_t) -') + optional_policy(` + mplayer_role(staff_r, staff_t) + ') -optional_policy(` - secadm_role_change(staff_r) -') + optional_policy(` + mta_role(staff_r, staff_t) + ') -optional_policy(` - spamassassin_role(staff_r, staff_t) -') + optional_policy(` + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) + ') + optional_policy(` + pyzor_role(staff_r, staff_t) + ') -optional_policy(` - ssh_role_template(staff, staff_r, staff_t) -') + optional_policy(` + razor_role(staff_r, staff_t) + ') -optional_policy(` - su_role_template(staff, staff_r, staff_t) -') + optional_policy(` + rssh_role(staff_r, staff_t) + ') -optional_policy(` - sudo_role_template(staff, staff_r, staff_t) -') + optional_policy(` + screen_role_template(staff, staff_r, staff_t) + ') -optional_policy(` - sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) -') + optional_policy(` + spamassassin_role(staff_r, staff_t) + ') -optional_policy(` - thunderbird_role(staff_r, staff_t) -') - -optional_policy(` - tvtime_role(staff_r, staff_t) -') + optional_policy(` + su_role_template(staff, staff_r, staff_t) + ') -optional_policy(` - uml_role(staff_r, staff_t) -') - -optional_policy(` - userhelper_role_template(staff, staff_r, staff_t) -') - -optional_policy(` - vmware_role(staff_r, staff_t) -') - -optional_policy(` - wireshark_role(staff_r, staff_t) -') - -optional_policy(` - xserver_role(staff_r, staff_t) + optional_policy(` + thunderbird_role(staff_r, staff_t) + ') + + optional_policy(` + tvtime_role(staff_r, staff_t) + ') + + optional_policy(` + uml_role(staff_r, staff_t) + ') + + optional_policy(` + userhelper_role_template(staff, staff_r, staff_t) + ') + + optional_policy(` + vmware_role(staff_r, staff_t) + ') + + optional_policy(` + wireshark_role(staff_r, staff_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 794e06f..2a19751 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -86,10 +86,6 @@ optional_policy(` ') optional_policy(` - auth_role(sysadm_r, sysadm_t) -') - -optional_policy(` backup_run(sysadm_t, sysadm_r) ') @@ -98,18 +94,10 @@ optional_policy(` ') optional_policy(` - bluetooth_role(sysadm_r, sysadm_t) -') - -optional_policy(` bootloader_run(sysadm_t, sysadm_r) ') optional_policy(` - cdrecord_role(sysadm_r, sysadm_t) -') - -optional_policy(` certwatch_run(sysadm_t, sysadm_r) ') @@ -126,18 +114,10 @@ optional_policy(` ') optional_policy(` - cron_admin_role(sysadm_r, sysadm_t) -') - -optional_policy(` cvs_exec(sysadm_t) ') optional_policy(` - dbus_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) @@ -160,10 +140,6 @@ optional_policy(` ') optional_policy(` - evolution_role(sysadm_r, sysadm_t) -') - -optional_policy(` firstboot_run(sysadm_t, sysadm_r) ') @@ -172,22 +148,6 @@ optional_policy(` ') optional_policy(` - games_role(sysadm_r, sysadm_t) -') - -optional_policy(` - gift_role(sysadm_r, sysadm_t) -') - -optional_policy(` - gnome_role(sysadm_r, sysadm_t) -') - -optional_policy(` - gpg_role(sysadm_r, sysadm_t) -') - -optional_policy(` hostname_run(sysadm_t, sysadm_r) ') @@ -206,14 +166,6 @@ optional_policy(` ') optional_policy(` - irc_role(sysadm_r, sysadm_t) -') - -optional_policy(` - java_role(sysadm_r, sysadm_t) -') - -optional_policy(` kudzu_run(sysadm_t, sysadm_r) ') @@ -444,3 +396,54 @@ optional_policy(` optional_policy(` yam_run(sysadm_t, sysadm_r) ') + +ifndef(`distro_redhat',` + optional_policy(` + auth_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + bluetooth_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + cdrecord_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + cron_admin_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + dbus_role_template(sysadm, sysadm_r, sysadm_t) + ') + + optional_policy(` + evolution_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + games_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + gift_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + gnome_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + gpg_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + irc_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + java_role(sysadm_r, sysadm_t) + ') +') + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index d5d5042..e8a507d 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -17,138 +17,140 @@ optional_policy(` ') optional_policy(` - auth_role(user_r, user_t) + screen_role_template(user, user_r, user_t) ') optional_policy(` - bluetooth_role(user_r, user_t) + xserver_role(user_r, user_t) ') -optional_policy(` - cdrecord_role(user_r, user_t) -') +ifndef(`distro_redhat',` + optional_policy(` + auth_role(user_r, user_t) + ') -optional_policy(` - cron_role(user_r, user_t) -') + optional_policy(` + bluetooth_role(user_r, user_t) + ') -optional_policy(` - dbus_role_template(user, user_r, user_t) -') + optional_policy(` + cdrecord_role(user_r, user_t) + ') -optional_policy(` - evolution_role(user_r, user_t) -') + optional_policy(` + cron_role(user_r, user_t) + ') -optional_policy(` - games_role(user_r, user_t) -') + optional_policy(` + dbus_role_template(user, user_r, user_t) + ') -optional_policy(` - gift_role(user_r, user_t) -') + optional_policy(` + evolution_role(user_r, user_t) + ') -optional_policy(` - gnome_role(user_r, user_t) -') + optional_policy(` + games_role(user_r, user_t) + ') -optional_policy(` - gpg_role(user_r, user_t) -') + optional_policy(` + gift_role(user_r, user_t) + ') -optional_policy(` - irc_role(user_r, user_t) -') + optional_policy(` + gnome_role(user_r, user_t) + ') -optional_policy(` - java_role(user_r, user_t) -') + optional_policy(` + gpg_role(user_r, user_t) + ') -optional_policy(` - lockdev_role(user_r, user_t) -') + optional_policy(` + irc_role(user_r, user_t) + ') -optional_policy(` - lpd_role(user_r, user_t) -') + optional_policy(` + java_role(user_r, user_t) + ') -optional_policy(` - mozilla_role(user_r, user_t) -') + optional_policy(` + lockdev_role(user_r, user_t) + ') -optional_policy(` - mplayer_role(user_r, user_t) -') + optional_policy(` + lpd_role(user_r, user_t) + ') -optional_policy(` - mta_role(user_r, user_t) -') + optional_policy(` + mozilla_role(user_r, user_t) + ') -optional_policy(` - oident_manage_user_content(user_t) - oident_relabel_user_content(user_t) -') + optional_policy(` + mplayer_role(user_r, user_t) + ') -optional_policy(` - postgresql_role(user_r, user_t) -') + optional_policy(` + mta_role(user_r, user_t) + ') -optional_policy(` - pyzor_role(user_r, user_t) -') + optional_policy(` + oident_manage_user_content(user_t) + oident_relabel_user_content(user_t) + ') -optional_policy(` - razor_role(user_r, user_t) -') + optional_policy(` + postgresql_role(user_r, user_t) + ') -optional_policy(` - rssh_role(user_r, user_t) -') + optional_policy(` + pyzor_role(user_r, user_t) + ') -optional_policy(` - screen_role_template(user, user_r, user_t) -') + optional_policy(` + razor_role(user_r, user_t) + ') -optional_policy(` - spamassassin_role(user_r, user_t) -') + optional_policy(` + rssh_role(user_r, user_t) + ') -optional_policy(` - ssh_role_template(user, user_r, user_t) -') + optional_policy(` + spamassassin_role(user_r, user_t) + ') -optional_policy(` - su_role_template(user, user_r, user_t) -') + optional_policy(` + ssh_role_template(user, user_r, user_t) + ') -optional_policy(` - sudo_role_template(user, user_r, user_t) -') + optional_policy(` + su_role_template(user, user_r, user_t) + ') -optional_policy(` - thunderbird_role(user_r, user_t) -') + optional_policy(` + sudo_role_template(user, user_r, user_t) + ') -optional_policy(` - tvtime_role(user_r, user_t) -') + optional_policy(` + thunderbird_role(user_r, user_t) + ') -optional_policy(` - uml_role(user_r, user_t) -') + optional_policy(` + tvtime_role(user_r, user_t) + ') -optional_policy(` - userhelper_role_template(user, user_r, user_t) -') + optional_policy(` + uml_role(user_r, user_t) + ') -optional_policy(` - vmware_role(user_r, user_t) -') + optional_policy(` + userhelper_role_template(user, user_r, user_t) + ') -optional_policy(` - wireshark_role(user_r, user_t) -') + optional_policy(` + vmware_role(user_r, user_t) + ') -optional_policy(` - xserver_role(user_r, user_t) + optional_policy(` + wireshark_role(user_r, user_t) + ') ')