diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index b248a9a..2e1116f 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -61,6 +61,25 @@ template(`su_restricted_domain_template', ` miscfiles_read_localization($1_su_t) + ifdef(`distro_rhel4',` + domain_role_change_exemption($1_su_t) + domain_subj_id_change_exemption($1_su_t) + domain_obj_id_change_exemption($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + ') + optional_policy(` cron_read_pipes($1_su_t) ') @@ -180,6 +199,44 @@ template(`su_per_userdomain_template',` userdom_use_user_terminals($1,$1_su_t) userdom_search_user_home_dirs($1,$1_su_t) + ifdef(`distro_rhel4',` + domain_role_change_exemption($1_su_t) + domain_subj_id_change_exemption($1_su_t) + domain_obj_id_change_exemption($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + # Relabel ttys and ptys. + term_relabel_all_user_ttys($1_su_t) + term_relabel_all_user_ptys($1_su_t) + # Close and re-open ttys and ptys to get the fd into the correct domain. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + ifdef(`strict_policy',` + if(secure_mode) { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + ') + + ifdef(`targeted_policy',` + unconfined_domtrans($1_su_t) + unconfined_signal($1_su_t) + ') + ') + ifdef(`enable_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t)