diff --git a/policy-rawhide-roleattribute.patch b/policy-rawhide-roleattribute.patch new file mode 100644 index 0000000..5862462 --- /dev/null +++ b/policy-rawhide-roleattribute.patch @@ -0,0 +1,1128 @@ +commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b +Author: Miroslav Grepl +Date: Thu Jun 7 02:18:29 2012 +0200 + + roleattribute patch + +diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if +index 4a50807..5e914db 100644 +--- a/policy/modules/admin/bootloader.if ++++ b/policy/modules/admin/bootloader.if +@@ -56,11 +56,21 @@ interface(`bootloader_exec',` + # + interface(`bootloader_run',` + gen_require(` +- attribute_role bootloader_roles; ++ type bootloader_t; ++ #attribute_role bootloader_roles; + ') + ++ #bootloader_domtrans($1) ++ #roleattribute $2 bootloader_roles; ++ + bootloader_domtrans($1) +- roleattribute $2 bootloader_roles; ++ ++ role $2 types bootloader_t; ++ ++ ifdef(`distro_redhat',` ++ # for mke2fs ++ mount_run(bootloader_t, $2) ++ ') + ') + + ######################################## +diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te +index 81a08e4..e717a21 100644 +--- a/policy/modules/admin/bootloader.te ++++ b/policy/modules/admin/bootloader.te +@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) + # Declarations + # + +-attribute_role bootloader_roles; +-roleattribute system_r bootloader_roles; ++#attribute_role bootloader_roles; ++#roleattribute system_r bootloader_roles; + + # + # boot_runtime_t is the type for /boot/kernel.h, +@@ -19,7 +19,8 @@ files_type(boot_runtime_t) + type bootloader_t; + type bootloader_exec_t; + application_domain(bootloader_t, bootloader_exec_t) +-role bootloader_roles types bootloader_t; ++#role bootloader_roles types bootloader_t; ++role system_r types bootloader_t; + + # + # bootloader_etc_t is the configuration file, +@@ -174,7 +175,8 @@ ifdef(`distro_redhat',` + files_manage_isid_type_chr_files(bootloader_t) + + # for mke2fs +- mount_run(bootloader_t, bootloader_roles) ++ #mount_run(bootloader_t, bootloader_roles) ++ mount_domtrans(bootloader_t) + + optional_policy(` + unconfined_domain(bootloader_t) +diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if +index 4d387af..764260e 100644 +--- a/policy/modules/admin/usermanage.if ++++ b/policy/modules/admin/usermanage.if +@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` + # + interface(`usermanage_run_chfn',` + gen_require(` +- attribute_role chfn_roles; ++ #attribute_role chfn_roles; ++ type chfn_t; + ') + ++ #usermanage_domtrans_chfn($1) ++ #roleattribute $2 chfn_roles; ++ + usermanage_domtrans_chfn($1) +- roleattribute $2 chfn_roles; ++ role $2 types chfn_t; ++ + ') + + ######################################## +@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',` + # + interface(`usermanage_run_groupadd',` + gen_require(` +- attribute_role groupadd_roles; ++ type groupadd_t; ++ #attribute_role groupadd_roles; + ') + ++ #usermanage_domtrans_groupadd($1) ++ #roleattribute $2 groupadd_roles; + usermanage_domtrans_groupadd($1) +- roleattribute $2 groupadd_roles; ++ role $2 types groupadd_t; ++ ++ optional_policy(` ++ nscd_run(groupadd_t, $2) ++ ') ++ + ') + + ######################################## +@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',` + # + interface(`usermanage_run_passwd',` + gen_require(` +- attribute_role passwd_roles; ++ type type passwd_t; ++ #attribute_role passwd_roles; + ') + ++ #usermanage_domtrans_passwd($1) ++ #roleattribute $2 passwd_roles; ++ + usermanage_domtrans_passwd($1) +- roleattribute $2 passwd_roles; ++ role $2 types passwd_t; ++ auth_run_chk_passwd(passwd_t, $2) ++ + ') + + ######################################## +@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',` + # + interface(`usermanage_run_admin_passwd',` + gen_require(` +- attribute_role sysadm_passwd_roles; ++ type sysadm_passwd_t; ++ #attribute_role sysadm_passwd_roles; + ') + ++ #usermanage_domtrans_admin_passwd($1) ++ #roleattribute $2 sysadm_passwd_roles; ++ + usermanage_domtrans_admin_passwd($1) +- roleattribute $2 sysadm_passwd_roles; ++ role $2 types sysadm_passwd_t; ++ ++ optional_policy(` ++ nscd_run(sysadm_passwd_t, $2) ++ ') ++ + ') + + ######################################## +@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',` + # + interface(`usermanage_run_useradd',` + gen_require(` +- attribute_role useradd_roles; ++ #attribute_role useradd_roles; ++ type sysadm_passwd_t; + ') + +- usermanage_domtrans_useradd($1) +- roleattribute $2 useradd_roles; ++ #usermanage_domtrans_useradd($1) ++ #roleattribute $2 useradd_roles; ++ ++ usermanage_domtrans_admin_passwd($1) ++ role $2 types sysadm_passwd_t; ++ ++ optional_policy(` ++ nscd_run(sysadm_passwd_t, $2) ++ ') ++ + ') + + ######################################## +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 446b743..a077b28 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) + # Declarations + # + +-attribute_role chfn_roles; +-role system_r types chfn_t; ++#attribute_role chfn_roles; ++#role system_r types chfn_t; + +-attribute_role groupadd_roles; ++#attribute_role groupadd_roles; + +-attribute_role passwd_roles; +-roleattribute system_r passwd_roles; ++#attribute_role passwd_roles; ++#roleattribute system_r passwd_roles; + +-attribute_role sysadm_passwd_roles; +-roleattribute system_r sysadm_passwd_roles; ++#attribute_role sysadm_passwd_roles; ++#roleattribute system_r sysadm_passwd_roles; + +-attribute_role useradd_roles; ++#attribute_role useradd_roles; + + type admin_passwd_exec_t; + files_type(admin_passwd_exec_t) +@@ -25,7 +25,8 @@ type chfn_t; + type chfn_exec_t; + domain_obj_id_change_exemption(chfn_t) + application_domain(chfn_t, chfn_exec_t) +-role chfn_roles types chfn_t; ++#role chfn_roles types chfn_t; ++role system_r types chfn_t; + + type crack_t; + type crack_exec_t; +@@ -42,18 +43,21 @@ type groupadd_t; + type groupadd_exec_t; + domain_obj_id_change_exemption(groupadd_t) + init_system_domain(groupadd_t, groupadd_exec_t) +-role groupadd_roles types groupadd_t; ++#role groupadd_roles types groupadd_t; ++ + + type passwd_t; + type passwd_exec_t; + domain_obj_id_change_exemption(passwd_t) + application_domain(passwd_t, passwd_exec_t) +-role passwd_roles types passwd_t; ++#role passwd_roles types passwd_t; ++role system_r types passwd_t; + + type sysadm_passwd_t; + domain_obj_id_change_exemption(sysadm_passwd_t) + application_domain(sysadm_passwd_t, admin_passwd_exec_t) +-role sysadm_passwd_roles types sysadm_passwd_t; ++#role sysadm_passwd_roles types sysadm_passwd_t; ++role system_r types sysadm_passwd_t; + + type sysadm_passwd_tmp_t; + files_tmp_file(sysadm_passwd_tmp_t) +@@ -62,7 +66,8 @@ type useradd_t; + type useradd_exec_t; + domain_obj_id_change_exemption(useradd_t) + init_system_domain(useradd_t, useradd_exec_t) +-role useradd_roles types useradd_t; ++#role useradd_roles types useradd_t; ++role system_r types useradd_t; + + ######################################## + # +@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t) + dev_read_urand(chfn_t) + dev_dontaudit_getattr_all(chfn_t) + +-#auth_manage_passwd(chfn_t) +-#auth_use_pam(chfn_t) +-auth_run_chk_passwd(chfn_t, chfn_roles) +-auth_dontaudit_read_shadow(chfn_t) +-auth_use_nsswitch(chfn_t) ++auth_manage_passwd(chfn_t) ++auth_use_pam(chfn_t) ++#auth_run_chk_passwd(chfn_t, chfn_roles) ++#auth_dontaudit_read_shadow(chfn_t) ++#auth_use_nsswitch(chfn_t) + + # allow checking if a shell is executable + corecmd_check_exec_shell(chfn_t) +@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t) + + miscfiles_read_localization(groupadd_t) + +-auth_run_chk_passwd(groupadd_t, groupadd_roles) ++#auth_run_chk_passwd(groupadd_t, groupadd_roles) ++auth_domtrans_chk_passwd(groupadd_t) + auth_rw_lastlog(groupadd_t) + auth_use_nsswitch(groupadd_t) + auth_manage_passwd(groupadd_t) +@@ -273,7 +279,8 @@ optional_policy(` + ') + + optional_policy(` +- nscd_run(groupadd_t, groupadd_roles) ++# nscd_run(groupadd_t, groupadd_roles) ++ nscd_domtrans(groupadd_t) + ') + + optional_policy(` +@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t) + term_use_all_inherited_terms(passwd_t) + term_getattr_all_ptys(passwd_t) + +-#auth_manage_passwd(passwd_t) +-#auth_manage_shadow(passwd_t) +-#auth_relabel_shadow(passwd_t) +-#auth_etc_filetrans_shadow(passwd_t) +-#auth_use_pam(passwd_t) +- +-auth_run_chk_passwd(passwd_t, passwd_roles) + auth_manage_passwd(passwd_t) + auth_manage_shadow(passwd_t) + auth_relabel_shadow(passwd_t) + auth_etc_filetrans_shadow(passwd_t) +-auth_use_nsswitch(passwd_t) ++auth_use_pam(passwd_t) ++ ++#auth_run_chk_passwd(passwd_t, passwd_roles) ++#auth_manage_passwd(passwd_t) ++#auth_manage_shadow(passwd_t) ++#auth_relabel_shadow(passwd_t) ++#auth_etc_filetrans_shadow(passwd_t) ++#auth_use_nsswitch(passwd_t) + + # allow checking if a shell is executable + corecmd_check_exec_shell(passwd_t) +@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t) + userdom_stream_connect(passwd_t) + + optional_policy(` +- nscd_run(passwd_t, passwd_roles) ++ #nscd_run(passwd_t, passwd_roles) ++ nscd_domtrans(passwd_t) + ') + + ######################################## +@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + + optional_policy(` +- nscd_run(sysadm_passwd_t, sysadm_passwd_roles) ++ nscd_domtrans(sysadm_passwd_t) ++ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') + + ######################################## +@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t) + term_use_all_inherited_terms(useradd_t) + term_getattr_all_ptys(useradd_t) + +-auth_run_chk_passwd(useradd_t, useradd_roles) ++#auth_run_chk_passwd(useradd_t, useradd_roles) ++auth_domtrans_chk_passwd(useradd_t) + auth_rw_lastlog(useradd_t) + auth_rw_faillog(useradd_t) + auth_use_nsswitch(useradd_t) +@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t) + seutil_read_config(useradd_t) + seutil_read_file_contexts(useradd_t) + seutil_read_default_contexts(useradd_t) +-#seutil_domtrans_semanage(useradd_t) +-#seutil_domtrans_setfiles(useradd_t) +-#seutil_domtrans_loadpolicy(useradd_t) +-#seutil_manage_bin_policy(useradd_t) +-#seutil_manage_module_store(useradd_t) +-#seutil_get_semanage_trans_lock(useradd_t) +-#seutil_get_semanage_read_lock(useradd_t) +-seutil_run_semanage(useradd_t, useradd_roles) +-seutil_run_setfiles(useradd_t, useradd_roles) ++seutil_domtrans_semanage(useradd_t) ++seutil_domtrans_setfiles(useradd_t) ++seutil_domtrans_loadpolicy(useradd_t) ++seutil_manage_bin_policy(useradd_t) ++seutil_manage_module_store(useradd_t) ++seutil_get_semanage_trans_lock(useradd_t) ++seutil_get_semanage_read_lock(useradd_t) ++#seutil_run_semanage(useradd_t, useradd_roles) ++#seutil_run_setfiles(useradd_t, useradd_roles) + + userdom_use_unpriv_users_fds(useradd_t) + # Add/remove user home directories +@@ -576,7 +586,8 @@ optional_policy(` + ') + + optional_policy(` +- nscd_run(useradd_t, useradd_roles) ++ nscd_domtrans(useradd_t) ++# nscd_run(useradd_t, useradd_roles) + ') + + optional_policy(` +diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if +index 174cfdb..7071460 100644 +--- a/policy/modules/system/iptables.if ++++ b/policy/modules/system/iptables.if +@@ -38,11 +38,22 @@ interface(`iptables_domtrans',` + # + interface(`iptables_run',` + gen_require(` +- attribute_role iptables_roles; ++ #attribute_role iptables_roles; ++ type iptables_t; + ') + ++ #iptables_domtrans($1) ++ #roleattribute $2 iptables_roles; ++ + iptables_domtrans($1) +- roleattribute $2 iptables_roles; ++ role $2 types iptables_t; ++ ++ sysnet_run_ifconfig(iptables_t, $2) ++ ++ optional_policy(` ++ modutils_run_insmod(iptables_t, $2) ++ ') ++ + ') + + ######################################## +diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te +index cc8d773..36e02fa 100644 +--- a/policy/modules/system/iptables.te ++++ b/policy/modules/system/iptables.te +@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0) + # Declarations + # + +-attribute_role iptables_roles; +-roleattribute system_r iptables_roles; ++#attribute_role iptables_roles; ++#roleattribute system_r iptables_roles; + + type iptables_t; + type iptables_exec_t; + init_system_domain(iptables_t, iptables_exec_t) +-role iptables_roles types iptables_t; ++#role iptables_roles types iptables_t; ++role system_r types iptables_t; + + type iptables_initrc_exec_t; + init_script_file(iptables_initrc_exec_t) +@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t) + + miscfiles_read_localization(iptables_t) + +-sysnet_run_ifconfig(iptables_t, iptables_roles) ++#sysnet_run_ifconfig(iptables_t, iptables_roles) ++sysnet_domtrans_ifconfig(iptables_t) + sysnet_dns_name_resolve(iptables_t) + + userdom_use_inherited_user_terminals(iptables_t) +@@ -119,7 +121,8 @@ optional_policy(` + ') + + optional_policy(` +- modutils_run_insmod(iptables_t, iptables_roles) ++ modutils_domtrans_insmod(iptables_t) ++ #modutils_run_insmod(iptables_t, iptables_roles) + ') + + optional_policy(` +diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if +index 786f87a..2debedc 100644 +--- a/policy/modules/system/modutils.if ++++ b/policy/modules/system/modutils.if +@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',` + # + interface(`modutils_run_update_mods',` + gen_require(` +- attribute_role update_modules_roles; ++ #attribute_role update_modules_roles; ++ type update_modules_t; + ') + ++ #modutils_domtrans_update_mods($1) ++ #roleattribute $2 update_modules_roles; ++ + modutils_domtrans_update_mods($1) +- roleattribute $2 update_modules_roles; ++ role $2 types update_modules_t; ++ ++ modutils_run_insmod(update_modules_t, $2) ++ + ') + + ######################################## +diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te +index b83608d..86a7107 100644 +--- a/policy/modules/system/modutils.te ++++ b/policy/modules/system/modutils.te +@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) + # Declarations + # + +-attribute_role update_modules_roles; ++#attribute_role update_modules_roles; + + type depmod_t; + type depmod_exec_t; +@@ -30,8 +30,9 @@ files_type(modules_dep_t) + type update_modules_t; + type update_modules_exec_t; + init_system_domain(update_modules_t, update_modules_exec_t) +-roleattribute system_r update_modules_roles; +-role update_modules_roles types update_modules_t; ++#roleattribute system_r update_modules_roles; ++#role update_modules_roles types update_modules_t; ++role system_r types update_modules_t; + + type update_modules_tmp_t; + files_tmp_file(update_modules_tmp_t) +@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t) + + miscfiles_read_localization(update_modules_t) + +-modutils_run_insmod(update_modules_t, update_modules_roles) ++#modutils_run_insmod(update_modules_t, update_modules_roles) + + userdom_use_inherited_user_terminals(update_modules_t) + userdom_dontaudit_search_user_home_dirs(update_modules_t) +diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if +index 52e78b8..4881d86 100644 +--- a/policy/modules/system/mount.if ++++ b/policy/modules/system/mount.if +@@ -44,11 +44,36 @@ interface(`mount_domtrans',` + # + interface(`mount_run',` + gen_require(` +- attribute_role mount_roles; ++ #attribute_role mount_roles; ++ type mount_t; + ') + ++ #mount_domtrans($1) ++ #roleattribute $2 mount_roles; ++ + mount_domtrans($1) +- roleattribute $2 mount_roles; ++ role $2 types mount_t; ++ ++ optional_policy(` ++ fstools_run(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ lvm_run(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ modutils_run_insmod(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ rpc_run_rpcd(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ samba_run_smbmount(mount_t, $2) ++ ') ++ + ') + + ######################################## +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index cc76452..14320fe 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2) + ## + gen_tunable(allow_mount_anyfile, false) + +-attribute_role mount_roles; +-roleattribute system_r mount_roles; ++#attribute_role mount_roles; ++#roleattribute system_r mount_roles; + + type mount_t; + type mount_exec_t; + init_system_domain(mount_t, mount_exec_t) +-role mount_roles types mount_t; ++#role mount_roles types mount_t; ++role system_r types mount_t; + + type fusermount_exec_t; + domain_entry_file(mount_t, fusermount_exec_t) +@@ -286,25 +287,28 @@ optional_policy(` + + # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 + optional_policy(` +- lvm_run(mount_t, mount_roles) ++# lvm_run(mount_t, mount_roles) ++ lvm_domtrans(mount_t) + ') + + optional_policy(` +- modutils_run_insmod(mount_t, mount_roles) ++ #modutils_run_insmod(mount_t, mount_roles) ++ modutils_domtrans_insmod(mount_t) + modutils_read_module_deps(mount_t) + ') + + optional_policy(` +- fstools_run(mount_t, mount_roles) ++ fstools_domtrans(mount_t) ++ #fstools_run(mount_t, mount_roles) + ') + + optional_policy(` + rhcs_stream_connect_gfs_controld(mount_t) + ') + +-optional_policy(` +- rpc_run_rpcd(mount_t, mount_roles) +-') ++#optional_policy(` ++# rpc_run_rpcd(mount_t, mount_roles) ++#') + + # for kernel package installation + optional_policy(` +@@ -314,7 +318,8 @@ optional_policy(` + + optional_policy(` + samba_read_config(mount_t) +- samba_run_smbmount(mount_t, mount_roles) ++ samba_domtrans_smbmount(mount_t) ++ #samba_run_smbmount(mount_t, mount_roles) + ') + + optional_policy(` +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index a853819..cebf588 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` + # + interface(`seutil_run_newrole',` + gen_require(` +- attribute_role newrole_roles; ++ type newrole_t; ++ #attribute_role newrole_roles; + ') + ++ #seutil_domtrans_newrole($1) ++ #roleattribute $2 newrole_roles; ++ + seutil_domtrans_newrole($1) +- roleattribute $2 newrole_roles; ++ role $2 types newrole_t; ++ ++ auth_run_upd_passwd(newrole_t, $2) ++ ++ optional_policy(` ++ namespace_init_run(newrole_t, $2) ++ ') ++ + ') + + ######################################## +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 2aee0c0..4c24e3e 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy; + attribute setfiles_domain; + attribute seutil_semanage_domain; + +-attribute_role newrole_roles; ++#attribute_role newrole_roles; + + attribute_role run_init_roles; + role system_r types run_init_t; +@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t) + domain_role_change_exemption(newrole_t) + domain_obj_id_change_exemption(newrole_t) + domain_interactive_fd(newrole_t) +-role newrole_roles types newrole_t; ++#role newrole_roles types newrole_t; ++role system_r types newrole_t; + + # + # policy_config_t is the type of /etc/security/selinux/* +@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t) + term_getattr_unallocated_ttys(newrole_t) + term_dontaudit_use_unallocated_ttys(newrole_t) + +-auth_use_nsswitch(newrole_t) +-auth_run_chk_passwd(newrole_t, newrole_roles) +-auth_run_upd_passwd(newrole_t, newrole_roles) +-auth_rw_faillog(newrole_t) ++#auth_use_nsswitch(newrole_t) ++#auth_run_chk_passwd(newrole_t, newrole_roles) ++#auth_run_upd_passwd(newrole_t, newrole_roles) ++#auth_rw_faillog(newrole_t) ++auth_use_pam(newrole_t) + + # Write to utmp. + init_rw_utmp(newrole_t) +@@ -322,9 +324,9 @@ optional_policy(` + dbus_system_bus_client(newrole_t) + ') + +-optional_policy(` +- namespace_init_run(newrole_t, newrole_roles) +-') ++#optional_policy(` ++# namespace_init_run(newrole_t, newrole_roles) ++#') + + + optional_policy(` +diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if +index 7b08f77..949fdcc 100644 +--- a/policy/modules/system/sysnetwork.if ++++ b/policy/modules/system/sysnetwork.if +@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` + # + interface(`sysnet_run_dhcpc',` + gen_require(` +- attribute_role dhcpc_roles; ++ type dhcpc_t; ++ #attribute_role dhcpc_roles; + ') + ++ #sysnet_domtrans_dhcpc($1) ++ #roleattribute $2 dhcpc_roles; ++ + sysnet_domtrans_dhcpc($1) +- roleattribute $2 dhcpc_roles; ++ role $2 types dhcpc_t; ++ ++ modutils_run_insmod(dhcpc_t, $2) ++ ++ sysnet_run_ifconfig(dhcpc_t, $2) ++ ++ optional_policy(` ++ hostname_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ netutils_run(dhcpc_t, $2) ++ netutils_run_ping(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ networkmanager_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nis_run_ypbind(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nscd_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ ntp_run(dhcpc_t, $2) ++ ') ++ ++ seutil_run_setfiles(dhcpc_t, $2) ++ + ') + + ######################################## +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index 2d2b6ef..1bfcd4f 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2) + ## + gen_tunable(dhcpc_exec_iptables, false) + +-attribute_role dhcpc_roles; +-roleattribute system_r dhcpc_roles; ++#attribute_role dhcpc_roles; ++#roleattribute system_r dhcpc_roles; + + # this is shared between dhcpc and dhcpd: + type dhcp_etc_t; +@@ -27,7 +27,8 @@ files_type(dhcp_state_t) + type dhcpc_t; + type dhcpc_exec_t; + init_daemon_domain(dhcpc_t, dhcpc_exec_t) +-role dhcpc_roles types dhcpc_t; ++#role dhcpc_roles types dhcpc_t; ++role system_r types dhcpc_t; + + type dhcpc_helper_exec_t; + init_script_file(dhcpc_helper_exec_t) +@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t) + miscfiles_read_generic_certs(dhcpc_t) + miscfiles_read_localization(dhcpc_t) + +-modutils_run_insmod(dhcpc_t, dhcpc_roles) ++#modutils_run_insmod(dhcpc_t, dhcpc_roles) ++modutils_domtrans_insmod(dhcpc_t) ++#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) + +-sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) + + userdom_use_user_terminals(dhcpc_t) + userdom_dontaudit_search_user_home_dirs(dhcpc_t) +@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',` + ') + ') + +-optional_policy(` +- consoletype_run(dhcpc_t, dhcpc_roles) +-') ++#optional_policy(` ++# consoletype_run(dhcpc_t, dhcpc_roles) ++#') + + optional_policy(` + chronyd_initrc_domtrans(dhcpc_t) +@@ -203,7 +205,8 @@ optional_policy(` + ') + + optional_policy(` +- hostname_run(dhcpc_t, dhcpc_roles) ++ hostname_domtrans(dhcpc_t) ++# hostname_run(dhcpc_t, dhcpc_roles) + ') + + optional_policy(` +commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1 +Author: Miroslav Grepl +Date: Thu Jun 7 02:26:53 2012 +0200 + + roleattribute patch for passwd_t + +diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if +index 764260e..da75471 100644 +--- a/policy/modules/admin/usermanage.if ++++ b/policy/modules/admin/usermanage.if +@@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',` + # + interface(`usermanage_run_passwd',` + gen_require(` +- type type passwd_t; ++ type passwd_t; + #attribute_role passwd_roles; + ') + +commit 0b71245f63ddbb6ca00790fa5318db798286d8d8 +Author: Miroslav Grepl +Date: Thu Jun 7 02:38:28 2012 +0200 + + Fix also for sysnetwork.te + +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index 1bfcd4f..3a94d52 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -226,8 +226,10 @@ optional_policy(` + + # for the dhcp client to run ping to check IP addresses + optional_policy(` +- netutils_run_ping(dhcpc_t, dhcpc_roles) +- netutils_run(dhcpc_t, dhcpc_roles) ++ #netutils_run_ping(dhcpc_t, dhcpc_roles) ++ #netutils_run(dhcpc_t, dhcpc_roles) ++ netutils_domtrans_ping(dhcpc_t) ++ netutils_domtrans(dhcpc_t + ',` + allow dhcpc_t self:capability setuid; + allow dhcpc_t self:rawip_socket create_socket_perms; +commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a +Author: Miroslav Grepl +Date: Thu Jun 7 02:41:48 2012 +0200 + + Other + +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index 3a94d52..6a6f03f 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -229,7 +229,7 @@ optional_policy(` + #netutils_run_ping(dhcpc_t, dhcpc_roles) + #netutils_run(dhcpc_t, dhcpc_roles) + netutils_domtrans_ping(dhcpc_t) +- netutils_domtrans(dhcpc_t ++ netutils_domtrans(dhcpc_t) + ',` + allow dhcpc_t self:capability setuid; + allow dhcpc_t self:rawip_socket create_socket_perms; +commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06 +Author: Miroslav Grepl +Date: Thu Jun 7 08:10:01 2012 +0200 + + Fix passwd + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index a077b28..396909c 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t) + mls_file_upgrade(useradd_t) + mls_process_read_to_clearance(useradd_t) + +-seutil_semanage_policy(useradd_t) +-seutil_manage_file_contexts(useradd_t) +-seutil_manage_config(useradd_t) +-seutil_manage_default_contexts(useradd_t) +- + term_use_all_inherited_terms(useradd_t) + term_getattr_all_ptys(useradd_t) + +@@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t) + + miscfiles_read_localization(useradd_t) + ++seutil_semanage_policy(useradd_t) ++seutil_manage_file_contexts(useradd_t) ++seutil_manage_config(useradd_t) ++seutil_manage_default_contexts(useradd_t) ++ + seutil_read_config(useradd_t) + seutil_read_file_contexts(useradd_t) + seutil_read_default_contexts(useradd_t) + seutil_domtrans_semanage(useradd_t) + seutil_domtrans_setfiles(useradd_t) + seutil_domtrans_loadpolicy(useradd_t) +-seutil_manage_bin_policy(useradd_t) +-seutil_manage_module_store(useradd_t) ++#seutil_manage_bin_policy(useradd_t) ++#seutil_manage_module_store(useradd_t) + seutil_get_semanage_trans_lock(useradd_t) + seutil_get_semanage_read_lock(useradd_t) + #seutil_run_semanage(useradd_t, useradd_roles) +commit db92f5bcb6fe7f86aae12dffe64ec3d920815343 +Author: Miroslav Grepl +Date: Thu Jun 7 08:30:34 2012 +0200 + + Also for semanage_roles + +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index cebf588..7e38077 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',` + # + interface(`seutil_run_semanage',` + gen_require(` +- attribute_role semanage_roles; ++ #attribute_role semanage_roles; ++ type semanage_t; + ') + ++ #seutil_domtrans_semanage($1) ++ #roleattribute $2 semanage_roles; ++ + seutil_domtrans_semanage($1) +- roleattribute $2 semanage_roles; ++ seutil_run_setfiles(semanage_t, $2) ++ seutil_run_loadpolicy(semanage_t, $2) ++ role $2 types semanage_t; ++ + ') + + ######################################## +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 4c24e3e..90498cd 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -19,8 +19,8 @@ attribute seutil_semanage_domain; + attribute_role run_init_roles; + role system_r types run_init_t; + +-attribute_role semanage_roles; +-roleattribute system_r semanage_roles; ++#attribute_role semanage_roles; ++#roleattribute system_r semanage_roles; + + # + # selinux_config_t is the type applied to +@@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t) + dbus_system_domain(semanage_t, semanage_exec_t) + init_daemon_domain(semanage_t, semanage_exec_t) + domain_interactive_fd(semanage_t) +-role semanage_roles types semanage_t; ++#role semanage_roles types semanage_t; ++role system_r types semanage_t; + + type setsebool_t; + type setsebool_exec_t; +@@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t) + + seutil_manage_file_contexts(semanage_t) + seutil_manage_config(semanage_t) +- +-seutil_run_setfiles(semanage_t, semanage_roles) +-seutil_run_loadpolicy(semanage_t, semanage_roles) +-seutil_manage_bin_policy(semanage_t) +-seutil_use_newrole_fds(semanage_t) +-seutil_manage_module_store(semanage_t) +-seutil_get_semanage_trans_lock(semanage_t) +-seutil_get_semanage_read_lock(semanage_t) ++seutil_domtrans_setfiles(semanage_t) ++ ++#seutil_run_setfiles(semanage_t, semanage_roles) ++#seutil_run_loadpolicy(semanage_t, semanage_roles) ++#seutil_manage_bin_policy(semanage_t) ++#seutil_use_newrole_fds(semanage_t) ++#seutil_manage_module_store(semanage_t) ++#seutil_get_semanage_trans_lock(semanage_t) ++#seutil_get_semanage_read_lock(semanage_t) + # netfilter_contexts: + seutil_manage_default_contexts(semanage_t) + +commit aebf9204ec2a7cfb943327eb3aace2a9b4130769 +Author: Miroslav Grepl +Date: Thu Jun 7 08:38:22 2012 +0200 + + run_init roles + +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 7e38077..6903c5e 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` + # + interface(`seutil_run_runinit',` + gen_require(` +- attribute_role run_init_roles; ++ #attribute_role run_init_roles; ++ type run_init_t; ++ role system_r; + ') + +- seutil_domtrans_runinit($1) +- roleattribute $2 run_init_roles; ++ #seutil_domtrans_runinit($1) ++ #roleattribute $2 run_init_roles; ++ ++ auth_run_chk_passwd(run_init_t, $2) ++ seutil_domtrans_runinit($1) ++ role $2 types run_init_t; ++ ++ allow $2 system_r; ++ + ') + + ######################################## +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 90498cd..06b4e9a 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -16,8 +16,8 @@ attribute seutil_semanage_domain; + + #attribute_role newrole_roles; + +-attribute_role run_init_roles; +-role system_r types run_init_t; ++#attribute_role run_init_roles; ++#role system_r types run_init_t; + + #attribute_role semanage_roles; + #roleattribute system_r semanage_roles; +@@ -102,7 +102,8 @@ type run_init_t; + type run_init_exec_t; + application_domain(run_init_t, run_init_exec_t) + domain_system_change_exemption(run_init_t) +-role run_init_roles types run_init_t; ++#role run_init_roles types run_init_t; ++role system_r types run_init_t; + + type semanage_t; + type semanage_exec_t; +@@ -412,7 +413,7 @@ optional_policy(` + # Run_init local policy + # + +-allow run_init_roles system_r; ++#allow run_init_roles system_r; + + allow run_init_t self:process setexec; + allow run_init_t self:capability setuid; +@@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t) + + term_use_console(run_init_t) + ++#auth_use_nsswitch(run_init_t) ++#auth_run_chk_passwd(run_init_t, run_init_roles) ++#auth_run_upd_passwd(run_init_t, run_init_roles) ++#auth_dontaudit_read_shadow(run_init_t) ++ + auth_use_nsswitch(run_init_t) +-auth_run_chk_passwd(run_init_t, run_init_roles) +-auth_run_upd_passwd(run_init_t, run_init_roles) ++auth_domtrans_chk_passwd(run_init_t) ++auth_domtrans_upd_passwd(run_init_t) + auth_dontaudit_read_shadow(run_init_t) + ++ + init_spec_domtrans_script(run_init_t) + # for utmp + init_rw_utmp(run_init_t) +commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5 +Author: Miroslav Grepl +Date: Thu Jun 7 10:01:51 2012 +0200 + + One more for run_init + +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 6903c5e..b64a37a 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -502,11 +502,19 @@ interface(`seutil_run_runinit',` + # + interface(`seutil_init_script_run_runinit',` + gen_require(` +- attribute_role run_init_roles; ++ #attribute_role run_init_roles; ++ type run_init_t; ++ role system_r + ') + +- seutil_init_script_domtrans_runinit($1) +- roleattribute $2 run_init_roles; ++ #seutil_init_script_domtrans_runinit($1) ++ #roleattribute $2 run_init_roles; ++ auth_run_chk_passwd(run_init_t, $2) ++ seutil_init_script_domtrans_runinit($1) ++ role $2 types run_init_t; ++ ++ allow $2 system_r; ++ + ') + + ######################################## diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 71830fc..115f7d4 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58144,7 +58144,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index f462e95..ce808db 100644 +index f462e95..d29da40 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -393,6 +393,10 @@ class system @@ -58158,7 +58158,16 @@ index f462e95..ce808db 100644 } # -@@ -860,3 +864,20 @@ inherits database +@@ -445,6 +449,8 @@ class capability2 + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog ++ wake_alarm ++ epolwakeup + } + + # +@@ -860,3 +866,20 @@ inherits database implement execute } @@ -79909,24 +79918,10 @@ index 0e3c2a9..40adf5a 100644 +') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 9fd5be7..3eb0e5e 100644 +index 9fd5be7..db7e141 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -9,13 +9,22 @@ type local_login_t; - domain_interactive_fd(local_login_t) - auth_login_pgm_domain(local_login_t) - auth_login_entry_type(local_login_t) -+init_daemon_domain(local_login_t, login_exec_t) -+init_ranged_daemon_domain(local_login_t, login_exec_t, s0 - mcs_systemhigh) -+ -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(local_login_t, login_exec_t, mls_systemhigh) -+') -+ -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(local_login_t, login_exec_t, mcs_systemhigh) -+') - +@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) type local_login_lock_t; files_lock_file(local_login_lock_t) @@ -79938,7 +79933,7 @@ index 9fd5be7..3eb0e5e 100644 type sulogin_t; type sulogin_exec_t; -@@ -32,9 +41,8 @@ role system_r types sulogin_t; +@@ -32,9 +31,8 @@ role system_r types sulogin_t; # Local login local policy # @@ -79950,7 +79945,7 @@ index 9fd5be7..3eb0e5e 100644 allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; -@@ -51,9 +59,7 @@ allow local_login_t self:key { search write link }; +@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link }; allow local_login_t local_login_lock_t:file manage_file_perms; files_lock_filetrans(local_login_t, local_login_lock_t, file) @@ -79961,7 +79956,7 @@ index 9fd5be7..3eb0e5e 100644 kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) -@@ -73,6 +79,8 @@ dev_getattr_power_mgmt_dev(local_login_t) +@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t) dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) @@ -79970,7 +79965,7 @@ index 9fd5be7..3eb0e5e 100644 dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -117,14 +125,18 @@ term_relabel_unallocated_ttys(local_login_t) +@@ -117,14 +115,18 @@ term_relabel_unallocated_ttys(local_login_t) term_relabel_all_ttys(local_login_t) term_setattr_all_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t) @@ -79990,7 +79985,7 @@ index 9fd5be7..3eb0e5e 100644 miscfiles_read_localization(local_login_t) -@@ -146,14 +158,14 @@ tunable_policy(`console_login',` +@@ -146,14 +148,14 @@ tunable_policy(`console_login',` term_relabel_console(local_login_t) ') @@ -80012,7 +80007,7 @@ index 9fd5be7..3eb0e5e 100644 ') optional_policy(` -@@ -177,14 +189,6 @@ optional_policy(` +@@ -177,14 +179,6 @@ optional_policy(` ') optional_policy(` @@ -80027,7 +80022,7 @@ index 9fd5be7..3eb0e5e 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,6 +219,7 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,6 +209,7 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -80035,7 +80030,7 @@ index 9fd5be7..3eb0e5e 100644 kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) -@@ -223,13 +228,17 @@ fs_rw_tmpfs_chr_files(sulogin_t) +@@ -223,13 +218,17 @@ fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) @@ -80053,7 +80048,7 @@ index 9fd5be7..3eb0e5e 100644 seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -@@ -238,14 +247,24 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -238,14 +237,24 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -80080,7 +80075,7 @@ index 9fd5be7..3eb0e5e 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +275,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +265,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -84576,10 +84571,10 @@ index 0000000..0898030 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..33c1c9f +index 0000000..eec7c72 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,422 @@ +@@ -0,0 +1,423 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -84660,6 +84655,7 @@ index 0000000..33c1c9f +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) ++dev_rw_input_dev(systemd_logind_t) +dev_setattr_all_chr_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) +dev_setattr_generic_usb_dev(systemd_logind_t) diff --git a/policy_contrib-rawhide-roleattribute.patch b/policy_contrib-rawhide-roleattribute.patch new file mode 100644 index 0000000..cbdb104 --- /dev/null +++ b/policy_contrib-rawhide-roleattribute.patch @@ -0,0 +1,854 @@ +commit f53f820fe366940d4fdecaef80de4e5b1178fac6 +Author: Miroslav Grepl +Date: Thu Jun 7 01:38:59 2012 +0200 + + roleattribute patch + +diff --git a/livecd.if b/livecd.if +index bfbf676..fb7869e 100644 +--- a/livecd.if ++++ b/livecd.if +@@ -38,12 +38,19 @@ interface(`livecd_run',` + gen_require(` + type livecd_t; + type livecd_exec_t; +- attribute_role livecd_roles; ++ #attribute_role livecd_roles; + ') + + livecd_domtrans($1) +- roleattribute $2 livecd_roles; ++ #roleattribute $2 livecd_roles; ++ role $2 types livecd_t; + role_transition $2 livecd_exec_t system_r; ++ ++ seutil_run_setfiles_mac(livecd_t, system_r) ++ ++ optional_policy(` ++ mount_run(livecd_t, $2) ++ ') + ') + + ######################################## +diff --git a/livecd.te b/livecd.te +index 65efdae..7a944b5 100644 +--- a/livecd.te ++++ b/livecd.te +@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) + # Declarations + # + +-attribute_role livecd_roles; +-roleattribute system_r livecd_roles; ++#attribute_role livecd_roles; ++#roleattribute system_r livecd_roles; + + type livecd_t; + type livecd_exec_t; + application_domain(livecd_t, livecd_exec_t) +-role livecd_roles types livecd_t; ++role system_r types livecd_t; ++#role livecd_roles types livecd_t; + + type livecd_tmp_t; + files_tmp_file(livecd_tmp_t) +@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t) + + sysnet_filetrans_named_content(livecd_t) + +-optional_policy(` +- mount_run(livecd_t, livecd_roles) +- seutil_run_setfiles_mac(livecd_t, livecd_roles) +-') ++#optional_policy(` ++# mount_run(livecd_t, livecd_roles) ++# seutil_run_setfiles_mac(livecd_t, livecd_roles) ++#') + + optional_policy(` + ssh_filetrans_admin_home_content(livecd_t) +diff --git a/mozilla.if b/mozilla.if +index 30b0241..30bfefb 100644 +--- a/mozilla.if ++++ b/mozilla.if +@@ -18,10 +18,11 @@ + interface(`mozilla_role',` + gen_require(` + type mozilla_t, mozilla_exec_t, mozilla_home_t; +- attribute_role mozilla_roles; ++ #attribute_role mozilla_roles; + ') + +- roleattribute $1 mozilla_roles; ++ #roleattribute $1 mozilla_roles; ++ role $1 types mozilla_t; + + domain_auto_trans($2, mozilla_exec_t, mozilla_t) + # Unrestricted inheritance from the caller. +@@ -47,6 +48,8 @@ interface(`mozilla_role',` + relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + ++ #should be remove then with adding of roleattribute ++ mozilla_run_plugin(mozilla_t, $1) + mozilla_dbus_chat($2) + + userdom_manage_tmp_role($1, mozilla_t) +@@ -63,7 +66,6 @@ interface(`mozilla_role',` + + mozilla_filetrans_home_content($2) + +- mozilla_dbus_chat($2) + ') + + ######################################## +diff --git a/mozilla.te b/mozilla.te +index 7bf56bf..56700a4 100644 +--- a/mozilla.te ++++ b/mozilla.te +@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false) + ## + gen_tunable(mozilla_plugin_enable_homedirs, false) + +-attribute_role mozilla_roles; ++#attribute_role mozilla_roles; + + type mozilla_t; + type mozilla_exec_t; + typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; + typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; + userdom_user_application_domain(mozilla_t, mozilla_exec_t) +-role mozilla_roles types mozilla_t; ++#role mozilla_roles types mozilla_t; ++role system_r types mozilla_t; + + type mozilla_conf_t; + files_config_file(mozilla_conf_t) +@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t) + type mozilla_plugin_t; + type mozilla_plugin_exec_t; + application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +-role mozilla_roles types mozilla_plugin_t; ++#role mozilla_roles types mozilla_plugin_t; ++role system_r types mozilla_plugin_t; + + type mozilla_plugin_tmp_t; + userdom_user_tmp_content(mozilla_plugin_tmp_t) +@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t) + type mozilla_plugin_config_t; + type mozilla_plugin_config_exec_t; + application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +-role mozilla_roles types mozilla_plugin_config_t; ++#role mozilla_roles types mozilla_plugin_config_t; ++role system_r types mozilla_plugin_config_t; + + type mozilla_tmp_t; + userdom_user_tmp_file(mozilla_tmp_t) +@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t) + + userdom_use_inherited_user_ptys(mozilla_t) + +-mozilla_run_plugin(mozilla_t, mozilla_roles) ++#mozilla_run_plugin(mozilla_t, mozilla_roles) + + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) + xserver_dontaudit_read_xdm_tmp_files(mozilla_t) +@@ -298,7 +301,8 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_role(mozilla_roles, mozilla_t) ++ #pulseaudio_role(mozilla_roles, mozilla_t) ++ pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) + pulseaudio_manage_home_files(mozilla_t) + ') +@@ -476,9 +480,9 @@ optional_policy(` + java_exec(mozilla_plugin_t) + ') + +-optional_policy(` +- lpd_run_lpr(mozilla_plugin_t, mozilla_roles) +-') ++#optional_policy(` ++# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) ++#') + + optional_policy(` + mplayer_exec(mozilla_plugin_t) +diff --git a/ncftool.if b/ncftool.if +index 1520b6c..3a4455f 100644 +--- a/ncftool.if ++++ b/ncftool.if +@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',` + # + interface(`ncftool_run',` + gen_require(` +- attribute_role ncftool_roles; ++ type ncftool_t; ++ #attribute_role ncftool_roles; + ') + +- ncftool_domtrans($1) +- roleattribute $2 ncftool_roles; ++ #ncftool_domtrans($1) ++ #roleattribute $2 ncftool_roles; ++ ++ role $1 types ncftool_t; ++ ++ ncftool_domtrans($2) ++ ++ ps_process_pattern($2, ncftool_t) ++ allow $2 ncftool_t:process signal; + ') + +diff --git a/ncftool.te b/ncftool.te +index 91ab36d..8c48c33 100644 +--- a/ncftool.te ++++ b/ncftool.te +@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0) + # Declarations + # + +-attribute_role ncftool_roles; +-roleattribute system_r ncftool_roles; ++#attribute_role ncftool_roles; ++#roleattribute system_r ncftool_roles; + + type ncftool_t; + type ncftool_exec_t; + application_domain(ncftool_t, ncftool_exec_t) + domain_obj_id_change_exemption(ncftool_t) + domain_system_change_exemption(ncftool_t) +-role ncftool_roles types ncftool_t; ++#role ncftool_roles types ncftool_t; ++role system_r types ncftool_t; + + ######################################## + # +@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t) + + miscfiles_read_localization(ncftool_t) + sysnet_delete_dhcpc_pid(ncftool_t) +-sysnet_run_dhcpc(ncftool_t, ncftool_roles) +-sysnet_run_ifconfig(ncftool_t, ncftool_roles) ++sysnet_domtrans_dhcpc(ncftool_t) ++sysnet_domtrans_ifconfig(ncftool_t) ++#sysnet_run_dhcpc(ncftool_t, ncftool_roles) ++#sysnet_run_ifconfig(ncftool_t, ncftool_roles) + sysnet_etc_filetrans_config(ncftool_t) + sysnet_manage_config(ncftool_t) + sysnet_read_dhcpc_state(ncftool_t) +@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t) + userdom_use_user_terminals(ncftool_t) + userdom_read_user_tmp_files(ncftool_t) + +-optional_policy(` +- brctl_run(ncftool_t, ncftool_roles) +-') ++#optional_policy(` ++# brctl_run(ncftool_t, ncftool_roles) ++#') + + optional_policy(` + consoletype_exec(ncftool_t) +@@ -85,9 +88,12 @@ optional_policy(` + + optional_policy(` + modutils_read_module_config(ncftool_t) +- modutils_run_insmod(ncftool_t, ncftool_roles) ++ modutils_domtrans_insmod(ncftool_t) ++ #modutils_run_insmod(ncftool_t, ncftool_roles) ++ + ') + + optional_policy(` +- netutils_run(ncftool_t, ncftool_roles) ++ netutils_domtrans(ncftool_t) ++ #netutils_run(ncftool_t, ncftool_roles) + ') +diff --git a/ppp.if b/ppp.if +index c174b05..a4cad0b 100644 +--- a/ppp.if ++++ b/ppp.if +@@ -175,11 +175,18 @@ interface(`ppp_run_cond',` + # + interface(`ppp_run',` + gen_require(` +- attribute_role pppd_roles; ++ #attribute_role pppd_roles; ++ type pppd_t; + ') + +- ppp_domtrans($1) +- roleattribute $2 pppd_roles; ++ #ppp_domtrans($1) ++ #roleattribute $2 pppd_roles; ++ ++ role $2 types pppd_t; ++ ++ tunable_policy(`pppd_for_user',` ++ ppp_domtrans($1) ++ ') + ') + + ######################################## +diff --git a/ppp.te b/ppp.te +index 17e10a2..92cec2b 100644 +--- a/ppp.te ++++ b/ppp.te +@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) + ## + gen_tunable(pppd_for_user, false) + +-attribute_role pppd_roles; ++#attribute_role pppd_roles; + + # pppd_t is the domain for the pppd program. + # pppd_exec_t is the type of the pppd executable. + type pppd_t; + type pppd_exec_t; + init_daemon_domain(pppd_t, pppd_exec_t) +-role pppd_roles types pppd_t; ++#role pppd_roles types pppd_t; ++role system_r types pppd_t; + + type pppd_devpts_t; + term_pty(pppd_devpts_t) +@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t) + type pptp_t; + type pptp_exec_t; + init_daemon_domain(pptp_t, pptp_exec_t) +-role pppd_roles types pptp_t; ++#role pppd_roles types pptp_t; ++role system_r types pptp_t; + + type pptp_log_t; + logging_log_file(pptp_log_t) +@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t) + init_signal_script(pppd_t) + + auth_use_nsswitch(pppd_t) +-auth_run_chk_passwd(pppd_t,pppd_roles) ++auth_domtrans_chk_passwd(pppd_t) ++#auth_run_chk_passwd(pppd_t,pppd_roles) + auth_write_login_records(pppd_t) + + logging_send_syslog_msg(pppd_t) +@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t) + ppp_exec(pppd_t) + + optional_policy(` +- ddclient_run(pppd_t, pppd_roles) ++ #ddclient_run(pppd_t, pppd_roles) ++ ddclient_domtrans(pppd_t) + ') + + optional_policy(` +diff --git a/usernetctl.if b/usernetctl.if +index d45c715..2d4f1ba 100644 +--- a/usernetctl.if ++++ b/usernetctl.if +@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',` + # + interface(`usernetctl_run',` + gen_require(` +- attribute_role usernetctl_roles; ++ type usernetctl_t; ++ #attribute_role usernetctl_roles; + ') + +- usernetctl_domtrans($1) +- roleattribute $2 usernetctl_roles; ++ #usernetctl_domtrans($1) ++ #roleattribute $2 usernetctl_roles; ++ ++ sysnet_run_ifconfig(usernetctl_t, $2) ++ sysnet_run_dhcpc(usernetctl_t, $2) ++ ++ optional_policy(` ++ iptables_run(usernetctl_t, $2) ++ ') ++ ++ optional_policy(` ++ modutils_run_insmod(usernetctl_t, $2) ++ ') ++ ++ optional_policy(` ++ ppp_run(usernetctl_t, $2) ++ ') ++ + ') +diff --git a/usernetctl.te b/usernetctl.te +index 8604c1c..35b12a6 100644 +--- a/usernetctl.te ++++ b/usernetctl.te +@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) + # Declarations + # + +-attribute_role usernetctl_roles; ++#attribute_role usernetctl_roles; + + type usernetctl_t; + type usernetctl_exec_t; + application_domain(usernetctl_t, usernetctl_exec_t) + domain_interactive_fd(usernetctl_t) +-role usernetctl_roles types usernetctl_t; ++#role usernetctl_roles types usernetctl_t; ++role system_r types usernetctl_t; + + ######################################## + # +@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t) + + userdom_use_inherited_user_terminals(usernetctl_t) + +-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) ++#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) ++#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) + + optional_policy(` +- consoletype_run(usernetctl_t, usernetctl_roles) ++ #consoletype_run(usernetctl_t, usernetctl_roles) ++ consoletype_exec(usernetctl_t) + ') + + optional_policy(` + hostname_exec(usernetctl_t) + ') + +-optional_policy(` +- iptables_run(usernetctl_t, usernetctl_roles) +-') ++#optional_policy(` ++# iptables_run(usernetctl_t, usernetctl_roles) ++#') + +-optional_policy(` +- modutils_run_insmod(usernetctl_t, usernetctl_roles) +-') ++#optional_policy(` ++# modutils_run_insmod(usernetctl_t, usernetctl_roles) ++#') + + optional_policy(` + nis_use_ypbind(usernetctl_t) + ') + +-optional_policy(` +- ppp_run(usernetctl_t, usernetctl_roles) +-') ++#optional_policy(` ++# ppp_run(usernetctl_t, usernetctl_roles) ++#') +diff --git a/vpn.if b/vpn.if +index 7b93e07..a4e2f60 100644 +--- a/vpn.if ++++ b/vpn.if +@@ -37,11 +37,16 @@ interface(`vpn_domtrans',` + # + interface(`vpn_run',` + gen_require(` +- attribute_role vpnc_roles; ++ #attribute_role vpnc_roles; ++ type vpnc_t; + ') + ++ #vpn_domtrans($1) ++ #roleattribute $2 vpnc_roles; ++ + vpn_domtrans($1) +- roleattribute $2 vpnc_roles; ++ role $2 types vpnc_t; ++ sysnet_run_ifconfig(vpnc_t, $2) + ') + + ######################################## +diff --git a/vpn.te b/vpn.te +index 99fd457..d2585bb 100644 +--- a/vpn.te ++++ b/vpn.te +@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0) + # Declarations + # + +-attribute_role vpnc_roles; +-roleattribute system_r vpnc_roles; ++#attribute_role vpnc_roles; ++#roleattribute system_r vpnc_roles; + + type vpnc_t; + type vpnc_exec_t; + init_system_domain(vpnc_t, vpnc_exec_t) + application_domain(vpnc_t, vpnc_exec_t) +-role vpnc_roles types vpnc_t; ++#role vpnc_roles types vpnc_t; ++role system_r types vpnc_t; + + type vpnc_tmp_t; + files_tmp_file(vpnc_tmp_t) +@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t) + seutil_dontaudit_search_config(vpnc_t) + seutil_use_newrole_fds(vpnc_t) + +-sysnet_run_ifconfig(vpnc_t, vpnc_roles) ++#sysnet_run_ifconfig(vpnc_t, vpnc_roles) + sysnet_etc_filetrans_config(vpnc_t) + sysnet_manage_config(vpnc_t) + +commit 88b64bdd71ef734271b9370fc37e02785f354f7f +Author: Miroslav Grepl +Date: Thu Jun 7 02:33:40 2012 +0200 + + Fix ncftool.if + +diff --git a/ncftool.if b/ncftool.if +index 3a4455f..59f096b 100644 +--- a/ncftool.if ++++ b/ncftool.if +@@ -43,11 +43,12 @@ interface(`ncftool_run',` + #ncftool_domtrans($1) + #roleattribute $2 ncftool_roles; + +- role $1 types ncftool_t; ++ ncftool_domtrans($1) ++ role $2 types ncftool_t; + +- ncftool_domtrans($2) ++ optional_policy(` ++ brctl_run(ncftool_t, $2) ++ ') + +- ps_process_pattern($2, ncftool_t) +- allow $2 ncftool_t:process signal; + ') + +commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9 +Author: Miroslav Grepl +Date: Thu Jun 7 10:47:57 2012 +0200 + + roleattriburte temp fixes for portage and dpkg + +diff --git a/dpkg.if b/dpkg.if +index 4d32b42..d945bd0 100644 +--- a/dpkg.if ++++ b/dpkg.if +@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',` + # + interface(`dpkg_run',` + gen_require(` +- attribute_role dpkg_roles; ++ #attribute_role dpkg_roles; ++ type dpkg_t, dpkg_script_t + ') + ++ #dpkg_domtrans($1) ++ #roleattribute $2 dpkg_roles; ++ + dpkg_domtrans($1) +- roleattribute $2 dpkg_roles; ++ role $2 types dpkg_t; ++ role $2 types dpkg_script_t; ++ seutil_run_loadpolicy(dpkg_script_t, $2) ++ + ') + + ######################################## +diff --git a/dpkg.te b/dpkg.te +index a1b8f92..9ac1b80 100644 +--- a/dpkg.te ++++ b/dpkg.te +@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) + # Declarations + # + +-attribute_role dpkg_roles; +-roleattribute system_r dpkg_roles; ++#attribute_role dpkg_roles; ++#roleattribute system_r dpkg_roles; + + type dpkg_t; + type dpkg_exec_t; +@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t) + domain_role_change_exemption(dpkg_t) + domain_system_change_exemption(dpkg_t) + domain_interactive_fd(dpkg_t) +-role dpkg_roles types dpkg_t; ++#role dpkg_roles types dpkg_t; ++role system_r types dpkg_t; + + # lockfile + type dpkg_lock_t; +@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t) + domain_obj_id_change_exemption(dpkg_script_t) + domain_system_change_exemption(dpkg_script_t) + domain_interactive_fd(dpkg_script_t) +-role dpkg_roles types dpkg_script_t; ++#role dpkg_roles types dpkg_script_t; ++role system_r types dpkg_script_t; + + type dpkg_script_tmp_t; + files_tmp_file(dpkg_script_tmp_t) +@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t) + init_domtrans_script(dpkg_t) + init_use_script_ptys(dpkg_t) + ++#libs_exec_ld_so(dpkg_t) ++#libs_exec_lib_files(dpkg_t) ++#libs_run_ldconfig(dpkg_t, dpkg_roles) + libs_exec_ld_so(dpkg_t) + libs_exec_lib_files(dpkg_t) +-libs_run_ldconfig(dpkg_t, dpkg_roles) ++libs_domtrans_ldconfig(dpkg_t) + + logging_send_syslog_msg(dpkg_t) + +@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t) + files_read_etc_runtime_files(dpkg_t) + files_exec_usr_files(dpkg_t) + miscfiles_read_localization(dpkg_t) +-modutils_run_depmod(dpkg_t, dpkg_roles) +-modutils_run_insmod(dpkg_t, dpkg_roles) +-seutil_run_loadpolicy(dpkg_t, dpkg_roles) +-seutil_run_setfiles(dpkg_t, dpkg_roles) ++#modutils_run_depmod(dpkg_t, dpkg_roles) ++#modutils_run_insmod(dpkg_t, dpkg_roles) ++#seutil_run_loadpolicy(dpkg_t, dpkg_roles) ++#seutil_run_setfiles(dpkg_t, dpkg_roles) + userdom_use_all_users_fds(dpkg_t) + optional_policy(` + mta_send_mail(dpkg_t) + ') ++ ++ + optional_policy(` +- usermanage_run_groupadd(dpkg_t, dpkg_roles) +- usermanage_run_useradd(dpkg_t, dpkg_roles) ++ modutils_domtrans_depmod(dpkg_t) ++ modutils_domtrans_insmod(dpkg_t) ++ seutil_domtrans_loadpolicy(dpkg_t) ++ seutil_domtrans_setfiles(dpkg_t) ++ usermanage_domtrans_groupadd(dpkg_t) ++ usermanage_domtrans_useradd(dpkg_t) + ') + ++#optional_policy(` ++# usermanage_run_groupadd(dpkg_t, dpkg_roles) ++# usermanage_run_useradd(dpkg_t, dpkg_roles) ++#') ++ + ######################################## + # + # dpkg-script Local policy +@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t) + + miscfiles_read_localization(dpkg_script_t) + +-modutils_run_depmod(dpkg_script_t, dpkg_roles) +-modutils_run_insmod(dpkg_script_t, dpkg_roles) ++#modutils_run_depmod(dpkg_script_t, dpkg_roles) ++#modutils_run_insmod(dpkg_script_t, dpkg_roles) + +-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) +-seutil_run_setfiles(dpkg_script_t, dpkg_roles) ++#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) ++#seutil_run_setfiles(dpkg_script_t, dpkg_roles) + + userdom_use_all_users_fds(dpkg_script_t) + +@@ -319,9 +335,9 @@ optional_policy(` + apt_use_fds(dpkg_script_t) + ') + +-optional_policy(` +- bootloader_run(dpkg_script_t, dpkg_roles) +-') ++#optional_policy(` ++# bootloader_run(dpkg_script_t, dpkg_roles) ++#') + + optional_policy(` + mta_send_mail(dpkg_script_t) +@@ -335,7 +351,7 @@ optional_policy(` + unconfined_domain(dpkg_script_t) + ') + +-optional_policy(` +- usermanage_run_groupadd(dpkg_script_t, dpkg_roles) +- usermanage_run_useradd(dpkg_script_t, dpkg_roles) +-') ++#optional_policy(` ++# usermanage_run_groupadd(dpkg_script_t, dpkg_roles) ++# usermanage_run_useradd(dpkg_script_t, dpkg_roles) ++#') +diff --git a/portage.if b/portage.if +index b4bb48a..e5e8f12 100644 +--- a/portage.if ++++ b/portage.if +@@ -43,11 +43,15 @@ interface(`portage_domtrans',` + # + interface(`portage_run',` + gen_require(` +- attribute_role portage_roles; ++ type portage_t, portage_fetch_t, portage_sandbox_t; ++ #attribute_role portage_roles; + ') + +- portage_domtrans($1) +- roleattribute $2 portage_roles; ++ #portage_domtrans($1) ++ #roleattribute $2 portage_roles; ++ portage_domtrans($1) ++ role $2 types { portage_t portage_fetch_t portage_sandbox_t } ++ + ') + + ######################################## +diff --git a/portage.te b/portage.te +index 22bdf7d..f726e1d 100644 +--- a/portage.te ++++ b/portage.te +@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) + ## + gen_tunable(portage_use_nfs, false) + +-attribute_role portage_roles; ++#attribute_role portage_roles; + + type gcc_config_t; + type gcc_config_exec_t; +@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t) + domain_obj_id_change_exemption(portage_t) + rsync_entry_type(portage_t) + corecmd_shell_entry_type(portage_t) +-role portage_roles types portage_t; ++#role portage_roles types portage_t; ++role system_r types portage_t; + + # portage compile sandbox domain + type portage_sandbox_t; +@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t) + # the shell is the entrypoint if regular sandbox is disabled + # portage_exec_t is the entrypoint if regular sandbox is enabled + corecmd_shell_entry_type(portage_sandbox_t) +-role portage_roles types portage_sandbox_t; ++#role portage_roles types portage_sandbox_t; ++role system_r types portage_sandbox_t; + + # portage package fetching domain + type portage_fetch_t; +@@ -41,7 +43,8 @@ type portage_fetch_exec_t; + application_domain(portage_fetch_t, portage_fetch_exec_t) + corecmd_shell_entry_type(portage_fetch_t) + rsync_entry_type(portage_fetch_t) +-role portage_roles types portage_fetch_t; ++#role portage_roles types portage_fetch_t; ++role system_r types portage_fetch_t; + + type portage_devpts_t; + term_pty(portage_devpts_t) +@@ -115,7 +118,8 @@ files_list_all(gcc_config_t) + init_dontaudit_read_script_status_files(gcc_config_t) + + libs_read_lib_files(gcc_config_t) +-libs_run_ldconfig(gcc_config_t, portage_roles) ++#libs_run_ldconfig(gcc_config_t, portage_roles) ++libs_domtrans_ldconfig(gcc_config_t) + libs_manage_shared_libs(gcc_config_t) + # gcc-config creates a temp dir for the libs + libs_manage_lib_dirs(gcc_config_t) +@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t) + init_exec(portage_t) + + # run setfiles -r +-seutil_run_setfiles(portage_t, portage_roles) ++#seutil_run_setfiles(portage_t, portage_roles) + # run semodule +-seutil_run_semanage(portage_t, portage_roles) ++#seutil_run_semanage(portage_t, portage_roles) + +-portage_run_gcc_config(portage_t, portage_roles) ++#portage_run_gcc_config(portage_t, portage_roles) + # if sesandbox is disabled, compiling is performed in this domain + portage_compile_domain(portage_t) + +-optional_policy(` +- bootloader_run(portage_t, portage_roles) +-') ++#optional_policy(` ++# bootloader_run(portage_t, portage_roles) ++#') + + optional_policy(` + cron_system_entry(portage_t, portage_exec_t) + cron_system_entry(portage_fetch_t, portage_fetch_exec_t) + ') + +-optional_policy(` +- modutils_run_depmod(portage_t, portage_roles) +- modutils_run_update_mods(portage_t, portage_roles) ++#optional_policy(` ++# modutils_run_depmod(portage_t, portage_roles) ++# modutils_run_update_mods(portage_t, portage_roles) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; + ') + +-optional_policy(` +- usermanage_run_groupadd(portage_t, portage_roles) +- usermanage_run_useradd(portage_t, portage_roles) +-') ++#optional_policy(` ++# usermanage_run_groupadd(portage_t, portage_roles) ++# usermanage_run_useradd(portage_t, portage_roles) ++#') ++ ++seutil_domtrans_setfiles(portage_t) ++seutil_domtrans_semanage(portage_t) ++bootloader_domtrans(portage_t) ++modutils_domtrans_depmod(portage_t) ++modutils_domtrans_update_mods(portage_t) ++usermanage_domtrans_groupadd(portage_t) ++usermanage_domtrans_useradd(portage_t) + + ifdef(`TODO',` + # seems to work ok without these +commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef +Author: Miroslav Grepl +Date: Thu Jun 7 10:52:09 2012 +0200 + + Fix typo + +diff --git a/portage.if b/portage.if +index e5e8f12..7098ded 100644 +--- a/portage.if ++++ b/portage.if +@@ -50,7 +50,7 @@ interface(`portage_run',` + #portage_domtrans($1) + #roleattribute $2 portage_roles; + portage_domtrans($1) +- role $2 types { portage_t portage_fetch_t portage_sandbox_t } ++ role $2 types { portage_t portage_fetch_t portage_sandbox_t }; + + ') + +commit cf999ca29d2a4401c481e28c169e10d676d73526 +Author: Miroslav Grepl +Date: Thu Jun 7 10:59:22 2012 +0200 + + One more typo + +diff --git a/dpkg.if b/dpkg.if +index d945bd0..78736d8 100644 +--- a/dpkg.if ++++ b/dpkg.if +@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',` + interface(`dpkg_run',` + gen_require(` + #attribute_role dpkg_roles; +- type dpkg_t, dpkg_script_t ++ type dpkg_t, dpkg_script_t; + ') + + #dpkg_domtrans($1) diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index b1052b6..600b000 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -18728,7 +18728,7 @@ index 9d3201b..6e75e3d 100644 + allow $1 ftpd_unit_file_t:service all_service_perms; ') diff --git a/ftp.te b/ftp.te -index 4285c83..4bd0373 100644 +index 4285c83..ed96e96 100644 --- a/ftp.te +++ b/ftp.te @@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -18812,7 +18812,15 @@ index 4285c83..4bd0373 100644 dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; -@@ -163,13 +200,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file +@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) + + manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) + manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) +-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) + + manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) @@ -18828,7 +18836,7 @@ index 4285c83..4bd0373 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -177,7 +214,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) +@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -18837,7 +18845,7 @@ index 4285c83..4bd0373 100644 dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) -@@ -196,9 +233,8 @@ corenet_tcp_bind_generic_node(ftpd_t) +@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) @@ -18849,7 +18857,7 @@ index 4285c83..4bd0373 100644 corenet_sendrecv_ftp_server_packets(ftpd_t) domain_use_interactive_fds(ftpd_t) -@@ -212,13 +248,11 @@ fs_search_auto_mountpoints(ftpd_t) +@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) fs_search_fusefs(ftpd_t) @@ -18865,7 +18873,7 @@ index 4285c83..4bd0373 100644 init_rw_utmp(ftpd_t) -@@ -261,7 +295,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` +@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` tunable_policy(`allow_ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; @@ -18882,7 +18890,7 @@ index 4285c83..4bd0373 100644 ') tunable_policy(`ftp_home_dir',` -@@ -270,10 +312,13 @@ tunable_policy(`ftp_home_dir',` +@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -18900,7 +18908,7 @@ index 4285c83..4bd0373 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -309,10 +354,34 @@ optional_policy(` +@@ -309,10 +353,34 @@ optional_policy(` ') optional_policy(` @@ -18936,7 +18944,7 @@ index 4285c83..4bd0373 100644 ') optional_policy(` -@@ -347,16 +416,17 @@ optional_policy(` +@@ -347,16 +415,17 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -18956,7 +18964,7 @@ index 4285c83..4bd0373 100644 ######################################## # -@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t) +@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t) files_read_etc_files(sftpd_t) @@ -18993,7 +19001,7 @@ index 4285c83..4bd0373 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -53059,10 +53067,10 @@ index 58e7ec0..e4119f7 100644 + allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; +') diff --git a/telnet.te b/telnet.te -index f40e67b..50163e0 100644 +index f40e67b..3519e88 100644 --- a/telnet.te +++ b/telnet.te -@@ -24,16 +24,16 @@ files_pid_file(telnetd_var_run_t) +@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t) # Local policy # @@ -53082,7 +53090,12 @@ index f40e67b..50163e0 100644 term_create_pty(telnetd_t, telnetd_devpts_t) manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -@@ -81,15 +81,10 @@ miscfiles_read_localization(telnetd_t) + manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) +-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) + + manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) + files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) +@@ -81,15 +80,10 @@ miscfiles_read_localization(telnetd_t) seutil_read_config(telnetd_t) @@ -53100,7 +53113,7 @@ index f40e67b..50163e0 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +93,12 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index bbc3b70..c6e309c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -254,9 +254,11 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-contrib-%{version} -q -b 29 %patch1 -p1 +%patch2 -p1 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch -p1 +%patch3 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib