diff --git a/Changelog b/Changelog
index 0d17563..31d542c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add role infrastructure.
- Debian updates from Erich Schubert.
- Add nscd_socket_use() to auth_use_nsswitch().
- Remove old selopt rules.
diff --git a/Makefile b/Makefile
index 2e2699e..3d88b9c 100644
--- a/Makefile
+++ b/Makefile
@@ -295,17 +295,46 @@ filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\
# Functions
#
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
# parse-rolemap modulename,outputfile
define parse-rolemap
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
-# peruser-expansion modulename,outputfile
-define peruser-expansion
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+# perrole-expansion modulename,outputfile
+define perrole-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
+
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+ $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+ $(call parse-rolemap-compat,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+# create-base-per-role-tmpl modulenames,outputfile
+define create-base-per-role-tmpl
+ $(verbose) echo "define(\`base_per_role_template',\`" >> $2
+
+ $(verbose) for i in $1; do \
+ echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
+ >> $2 ;\
+ done
+
+ $(verbose) for i in $1; do \
+ echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
+ echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
+ echo """$$i""_per_userdomain_template("'$$*'")')" >> $2 ;\
+ done
+ $(verbose) echo "')" >> $@
+
endef
########################################
diff --git a/Rules.modular b/Rules.modular
index c8018a2..63e60f8 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@test -d $(tmpdir) || mkdir -p $(tmpdir)
- $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(call perrole-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -120,13 +120,7 @@ $(tmpdir)/generated_definitions.conf: $(base_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates
- $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
- $(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
- echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
- >> $@ ;\
- done
- $(verbose) echo "')" >> $@
+ $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
diff --git a/Rules.monolithic b/Rules.monolithic
index 745268e..1209145 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -114,11 +114,7 @@ $(tmpdir)/generated_definitions.conf: $(all_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates:
- $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
- $(verbose) $(foreach mod,$(basename $(notdir $(all_modules))), \
- echo "ifdef(\`""$(mod)""_per_userdomain_template',\`""$(mod)""_per_userdomain_template("'$$*'")')" >> $@ ;)
- $(verbose) echo "')" >> $@
+ $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
diff --git a/doc/policy.dtd b/doc/policy.dtd
index 7990cff..dddae6a 100644
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@@ -20,9 +20,9 @@
name CDATA #REQUIRED
dftval CDATA #REQUIRED>
<!ELEMENT summary (#PCDATA)>
-<!ELEMENT interface (summary,desc?,param+,infoflow?)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT template (summary,desc?,param+)>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
<!ELEMENT desc (#PCDATA|%inline.class;)*>
<!ELEMENT param (summary)>
@@ -33,6 +33,8 @@
<!ATTLIST infoflow
type CDATA #REQUIRED
weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>
<!ATTLIST pre caption CDATA #IMPLIED>
<!ELEMENT p (#PCDATA|%inline.class;)*>
diff --git a/policy/global_tunables b/policy/global_tunables
index 0cb55b8..2b98122 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -536,13 +536,6 @@ gen_tunable(user_rw_noexattrfile,false)
## <desc>
## <p>
-## Allow users to rw usb devices
-## </p>
-## </desc>
-gen_tunable(user_rw_usb,false)
-
-## <desc>
-## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users) disabling this forces FTP passive mode
## and may change other protocols.
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index f7b1645..d44693c 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -43,6 +43,7 @@ interface(`amanda_domtrans_recover',`
## The type of the terminal allow the amanda_recover domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`amanda_run_recover',`
gen_require(`
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 180f05e..1f97994 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -45,6 +45,7 @@ interface(`apt_domtrans',`
## The type of the terminal allow the apt domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apt_run',`
gen_require(`
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
index 64beebe..12098a2 100644
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@@ -41,6 +41,7 @@ interface(`backup_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`backup_run',`
gen_require(`
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 8f6707b..315882e 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -43,6 +43,7 @@ interface(`bootloader_domtrans',`
## The type of the terminal allow the bootloader domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`bootloader_run',`
gen_require(`
@@ -83,6 +84,7 @@ interface(`bootloader_read_config',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`bootloader_rw_config',`
gen_require(`
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
index 84e3852..c5f9e2a 100644
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@@ -47,6 +47,7 @@ interface(`certwatch_domtrans',`
## The type of the terminal allow the certwatch domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`certwatach_run',`
gen_require(`
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index 58a2018..b791540 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -66,6 +66,7 @@ interface(`consoletype_run',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`consoletype_exec',`
gen_require(`
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
index 875b7d2..8a7ea14 100644
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@@ -43,6 +43,7 @@ interface(`ddcprobe_domtrans',`
## The type of the terminal allow the clock domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`ddcprobe_run',`
gen_require(`
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index 0ca1319..e1bc978 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -42,6 +42,7 @@ interface(`dmesg_domtrans',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dmesg_exec',`
ifdef(`targeted_policy',`
diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
index 70d6044..a2c318f 100644
--- a/policy/modules/admin/dmidecode.if
+++ b/policy/modules/admin/dmidecode.if
@@ -43,6 +43,7 @@ interface(`dmidecode_domtrans',`
## The type of the terminal allow the dmidecode domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dmidecode_run',`
gen_require(`
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 5d494be..b4dcfc4 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -71,6 +71,7 @@ interface(`dpkg_domtrans_script',`
## The type of the terminal allow the dpkg domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dpkg_run',`
gen_require(`
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
index 605a394..8d10285 100644
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@@ -43,6 +43,7 @@ interface(`kudzu_domtrans',`
## The type of the terminal allow the kudzu domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kudzu_run',`
gen_require(`
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
index 988ddfc..480120c 100644
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@@ -43,6 +43,7 @@ interface(`logrotate_domtrans',`
## The type of the terminal allow the logrotate domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logrotate_run',`
gen_require(`
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index 9fdfc1f..e562e6d 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -43,6 +43,7 @@ interface(`netutils_domtrans',`
## The type of the terminal allow the netutils domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`netutils_run',`
gen_require(`
@@ -151,6 +152,7 @@ interface(`netutils_signal_ping',`
## The type of the terminal allow the ping domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`netutils_run_ping',`
gen_require(`
@@ -182,6 +184,7 @@ interface(`netutils_run_ping',`
## The type of the terminal allow the ping domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`netutils_run_ping_cond',`
gen_require(`
@@ -258,6 +261,7 @@ interface(`netutils_domtrans_traceroute',`
## The type of the terminal allow the traceroute domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`netutils_run_traceroute',`
gen_require(`
@@ -289,6 +293,7 @@ interface(`netutils_run_traceroute',`
## The type of the terminal allow the traceroute domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`netutils_run_traceroute_cond',`
gen_require(`
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 14f8312..03640ee 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -54,6 +54,7 @@ interface(`portage_domtrans',`
## The type of the terminal allow for portage to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`portage_run',`
gen_require(`
@@ -394,6 +395,7 @@ interface(`portage_domtrans_gcc_config',`
## The type of the terminal allow for gcc_config to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`portage_run_gcc_config',`
gen_require(`
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 8d3bac7..1e954d0 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -43,6 +43,7 @@ interface(`quota_domtrans',`
## The type of the terminal allow the quota domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`quota_run',`
gen_require(`
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 9b37218..83e3bfe 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -68,6 +68,7 @@ interface(`rpm_domtrans_script',`
## The type of the terminal allow the RPM domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 6c493c7..8be3a0c 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -127,7 +127,7 @@ template(`su_restricted_domain_template', `
#######################################
## <summary>
-## The per user domain template for the su module.
+## The per role template for the su module.
## </summary>
## <desc>
## <p>
@@ -158,7 +158,7 @@ template(`su_restricted_domain_template', `
## </summary>
## </param>
#
-template(`su_per_userdomain_template',`
+template(`su_per_role_template',`
gen_require(`
type su_exec_t;
bool secure_mode;
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e0ff588..07e894f 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the sudo module.
+## The per role template for the sudo module.
## </summary>
## <desc>
## <p>
@@ -33,7 +33,7 @@
## </summary>
## </param>
#
-template(`sudo_per_userdomain_template',`
+template(`sudo_per_role_template',`
gen_require(`
type sudo_exec_t;
diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if
index 36c3a48..114fad0 100644
--- a/policy/modules/admin/sxid.if
+++ b/policy/modules/admin/sxid.if
@@ -10,6 +10,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sxid_read_log',`
gen_require(`
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
index a8b38c0..4db23aa 100644
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@@ -54,6 +54,7 @@ interface(`tripwire_domtrans_tripwire',`
## The type of the terminal allow the tripwire domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`tripwire_run_tripwire',`
gen_require(`
@@ -106,6 +107,7 @@ interface(`tripwire_domtrans_twadmin',`
## The type of the terminal allow the twadmin domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`tripwire_run_twadmin',`
gen_require(`
@@ -158,6 +160,7 @@ interface(`tripwire_domtrans_twprint',`
## The type of the terminal allow the twprint domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`tripwire_run_twprint',`
gen_require(`
@@ -210,6 +213,7 @@ interface(`tripwire_domtrans_siggen',`
## The type of the terminal allow the siggen domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`tripwire_run_siggen',`
gen_require(`
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
index b27fb16..fea1445 100644
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@@ -45,6 +45,7 @@ interface(`usbmodules_domtrans',`
## The type of the terminal allow the usbmodules domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`usbmodules_run',`
gen_require(`
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 9a1c41e..b49086d 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -101,6 +101,7 @@ interface(`usermanage_domtrans_groupadd',`
## The type of the terminal allow the groupadd domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`usermanage_run_groupadd',`
gen_require(`
@@ -215,6 +216,7 @@ interface(`usermanage_domtrans_admin_passwd',`
## The type of the terminal allow the admin passwd domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`usermanage_run_admin_passwd',`
gen_require(`
@@ -271,6 +273,7 @@ interface(`usermanage_domtrans_useradd',`
## The type of the terminal allow the useradd domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`usermanage_run_useradd',`
gen_require(`
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index eb9b4eb..fea1dd4 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -43,6 +43,7 @@ interface(`vpn_domtrans',`
## The type of the terminal allow the vpnc domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`vpn_run',`
gen_require(`
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index 4b98c08..d20691e 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the cdrecord module.
+## The per role template for the cdrecord module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`cdrecord_per_userdomain_template', `
+template(`cdrecord_per_role_template', `
gen_require(`
type cdrecord_exec_t;
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 6215059..6d0eda3 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the ethereal module.
+## The per role template for the ethereal module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`ethereal_per_userdomain_template',`
+template(`ethereal_per_role_template',`
##############################
#
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 16b640e..9f197dc 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the evolution module.
+## The per role template for the evolution module.
## </summary>
## <desc>
## <p>
@@ -33,7 +33,7 @@
## </summary>
## </param>
#
-template(`evolution_per_userdomain_template',`
+template(`evolution_per_role_template',`
########################################
#
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 592a423..685a656 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the games module.
+## The per role template for the games module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`games_per_userdomain_template',`
+template(`games_per_role_template',`
########################################
#
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 8ddc30c..5a707ef 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the gift module.
+## The per role template for the gift module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`gift_per_userdomain_template',`
+template(`gift_per_role_template',`
##############################
#
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 9d49603..b125e78 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the gpg module.
+## The per role template for the gpg module.
## </summary>
## <desc>
## <p>
@@ -34,7 +34,7 @@
## </summary>
## </param>
#
-template(`gpg_per_userdomain_template',`
+template(`gpg_per_role_template',`
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
type gpg_agent_exec_t, pinentry_exec_t;
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 16848bc..16b2ae9 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the irc module.
+## The per role template for the irc module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`irc_per_userdomain_template',`
+template(`irc_per_role_template',`
gen_require(`
type irc_exec_t;
')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 53d83fa..8617525 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the java module.
+## The per role template for the java module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`java_per_userdomain_template',`
+template(`java_per_role_template',`
gen_require(`
type java_exec_t;
')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index 3e2f6da..d85b82c 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -47,6 +47,7 @@ interface(`loadkeys_domtrans',`
## The type of the terminal allow the loadkeys domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`loadkeys_run',`
ifdef(`targeted_policy',`
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
index ddf08c4..c462bcc 100644
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the lockdev module.
+## The per role template for the lockdev module.
## </summary>
## <desc>
## <p>
@@ -33,7 +33,7 @@
## </summary>
## </param>
#
-template(`lockdev_per_userdomain_template',`
+template(`lockdev_per_role_template',`
gen_require(`
type lockdev_exec_t;
')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 4d1b332..06b220f 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the mozilla module.
+## The per role template for the mozilla module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`mozilla_per_userdomain_template',`
+template(`mozilla_per_role_template',`
########################################
#
@@ -362,7 +362,7 @@ template(`mozilla_per_userdomain_template',`
ifdef(`TODO',`
# Java plugin
optional_policy(`
- #reh, these are hacked in types due to the use of the java_per_userdomain_template
+ #reh, these are hacked in types due to the use of the java_per_role_template
type $1_mozilla_tmp_t;
files_tmp_file($1_mozilla_tmp_t)
@@ -374,7 +374,7 @@ template(`mozilla_per_userdomain_template',`
type $1_mozilla_home_dir_t;
userdom_user_home_content($1,$1_mozilla_home_dir_t)
- java_per_userdomain_template($1_mozilla,$2,$3)
+ java_per_role_template($1_mozilla,$2,$3)
')
######### Launch mplayer
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 347f0fb..45c3bf5 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the mplayer module.
+## The per role template for the mplayer module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`mplayer_per_userdomain_template',`
+template(`mplayer_per_role_template',`
########################################
#
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
index 2a84766..965e988 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the rssh module.
+## The per role template for the rssh module.
## </summary>
## <desc>
## <p>
@@ -23,7 +23,7 @@
## </summary>
## </param>
#
-template(`rssh_per_userdomain_template',`
+template(`rssh_per_role_template',`
##############################
#
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index fa61d05..f65b59f 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the screen module.
+## The per role template for the screen module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`screen_per_userdomain_template',`
+template(`screen_per_role_template',`
gen_require(`
type screen_dir_t, screen_exec_t;
')
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 0c84014..839142d 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the thunderbird module.
+## The per role template for the thunderbird module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`thunderbird_per_userdomain_template',`
+template(`thunderbird_per_role_template',`
########################################
#
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 22c035f..f743169 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the tvtime module.
+## The per role template for the tvtime module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`tvtime_per_userdomain_template',`
+template(`tvtime_per_role_template',`
########################################
#
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 8be916a..a599b7d 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the uml module.
+## The per role template for the uml module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`uml_per_userdomain_template',`
+template(`uml_per_role_template',`
########################################
#
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 7447019..e755216 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the userhelper module.
+## The per role template for the userhelper module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`userhelper_per_userdomain_template',`
+template(`userhelper_per_role_template',`
gen_require(`
type userhelper_exec_t, userhelper_conf_t;
')
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
index 06d73e3..49a9779 100644
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@@ -47,6 +47,7 @@ interface(`usernetctl_domtrans',`
## The type of the terminal allow the usernetctl domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`usernetctl_run',`
gen_require(`
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 1f63d96..8ed664a 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the vmware module.
+## The per role template for the vmware module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`vmware_per_userdomain_template',`
+template(`vmware_per_role_template',`
##############################
#
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
index 642ba83..b754943 100644
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@@ -43,6 +43,7 @@ interface(`webalizer_domtrans',`
## The type of the terminal allow the webalizer domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`webalizer_run',`
gen_require(`
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
index 450fb4e..57e30ea 100644
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@@ -44,6 +44,7 @@ interface(`yam_domtrans',`
## The type of the terminal allow the yam domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`yam_run',`
gen_require(`
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 1514fde..8eb3a9e 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -920,6 +920,7 @@ interface(`corecmd_exec_chroot',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`corecmd_exec_all_executables',`
gen_require(`
@@ -941,6 +942,7 @@ interface(`corecmd_exec_all_executables',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`corecmd_manage_all_executables',`
gen_require(`
@@ -962,6 +964,7 @@ interface(`corecmd_manage_all_executables',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`corecmd_relabel_all_executables',`
gen_require(`
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e17a5d5..8583729 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -55,6 +55,7 @@ interface(`dev_node',`
## Domain allowed to relabel.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dev_relabel_all_dev_nodes',`
gen_require(`
@@ -389,6 +390,25 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
## <summary>
+## Create symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir add_entry_dir_perms;
+ allow $1 device_t:lnk_file create;
+')
+
+########################################
+## <summary>
## Delete symbolic links in device directories.
## </summary>
## <param name="domain">
@@ -402,7 +422,7 @@ interface(`dev_delete_generic_symlinks',`
type device_t;
')
- allow $1 device_t:dir { getattr read write remove_name };
+ allow $1 device_t:dir del_entry_dir_perms;
allow $1 device_t:lnk_file unlink;
')
@@ -576,6 +596,7 @@ interface(`dev_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dev_getattr_all_blk_files',`
gen_require(`
@@ -612,6 +633,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dev_getattr_all_chr_files',`
gen_require(`
@@ -648,6 +670,7 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dev_setattr_all_blk_files',`
gen_require(`
@@ -667,6 +690,7 @@ interface(`dev_setattr_all_blk_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dev_setattr_all_chr_files',`
gen_require(`
@@ -715,6 +739,122 @@ interface(`dev_dontaudit_read_all_chr_files',`
########################################
## <summary>
+## Create all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 self:capability mknod;
+ allow $1 device_t:dir add_entry_dir_perms;
+ allow $1 device_node:blk_file create;
+')
+
+########################################
+## <summary>
+## Create all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 self:capability mknod;
+ allow $1 device_t:dir add_entry_dir_perms;
+ allow $1 device_node:chr_file create;
+')
+
+########################################
+## <summary>
+## Delete all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir del_entry_dir_perms;
+ allow $1 device_node:blk_file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir del_entry_dir_perms;
+ allow $1 device_node:chr_file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Rename all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rename_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_node:blk_file rename;
+')
+
+########################################
+## <summary>
+## Rename all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rename_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_node:chr_file rename;
+')
+
+########################################
+## <summary>
## Read, write, create, and delete all block device files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 3150795..6f30f63 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.20)
+policy_module(devices,1.1.21)
########################################
#
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 3de6530..d1b3087 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -218,6 +218,7 @@ interface(`domain_role_change_exemption',`
## The process type to make an exception to the constraint.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_obj_id_change_exemption',`
gen_require(`
@@ -400,6 +401,7 @@ interface(`domain_sigchld_interactive_fds',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_setpriority_all_domains',`
gen_require(`
@@ -418,6 +420,7 @@ interface(`domain_setpriority_all_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_signal_all_domains',`
gen_require(`
@@ -436,6 +439,7 @@ interface(`domain_signal_all_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_signull_all_domains',`
gen_require(`
@@ -454,6 +458,7 @@ interface(`domain_signull_all_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_sigstop_all_domains',`
gen_require(`
@@ -472,6 +477,7 @@ interface(`domain_sigstop_all_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_sigchld_all_domains',`
gen_require(`
@@ -490,6 +496,7 @@ interface(`domain_sigchld_all_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_kill_all_domains',`
gen_require(`
@@ -547,6 +554,7 @@ interface(`domain_dontaudit_search_all_domains_state',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_read_all_domains_state',`
gen_require(`
@@ -568,6 +576,7 @@ interface(`domain_read_all_domains_state',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_getattr_all_domains',`
gen_require(`
@@ -604,6 +613,7 @@ interface(`domain_dontaudit_getattr_all_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_read_confined_domains_state',`
gen_require(`
@@ -628,6 +638,7 @@ interface(`domain_read_confined_domains_state',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_getattr_confined_domains',`
gen_require(`
@@ -646,6 +657,7 @@ interface(`domain_getattr_confined_domains',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_ptrace_all_domains',`
gen_require(`
@@ -1090,6 +1102,7 @@ interface(`domain_read_all_entry_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`domain_exec_all_entry_files',`
gen_require(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4123678..8ade7e6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -510,6 +510,7 @@ interface(`files_execmod_all_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_read_non_security_files',`
gen_require(`
@@ -704,6 +705,7 @@ interface(`files_dontaudit_getattr_non_security_chr_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_read_all_symlinks',`
gen_require(`
@@ -882,6 +884,7 @@ interface(`files_read_all_chr_files',`
## must be negated by the caller.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_relabel_all_files',`
gen_require(`
@@ -916,6 +919,7 @@ interface(`files_relabel_all_files',`
## must be negated by the caller.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_all_files',`
gen_require(`
@@ -1355,6 +1359,7 @@ interface(`files_boot_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_boot_files',`
gen_require(`
@@ -1452,6 +1457,7 @@ interface(`files_read_kernel_img',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_create_kernel_img',`
gen_require(`
@@ -1472,6 +1478,7 @@ interface(`files_create_kernel_img',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_delete_kernel',`
gen_require(`
@@ -1803,6 +1810,7 @@ interface(`files_dontaudit_write_etc_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_rw_etc_files',`
gen_require(`
@@ -1824,6 +1832,7 @@ interface(`files_rw_etc_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_etc_files',`
gen_require(`
@@ -1939,6 +1948,7 @@ interface(`files_etc_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_create_boot_flag',`
gen_require(`
@@ -1960,6 +1970,7 @@ interface(`files_create_boot_flag',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_read_etc_runtime_files',`
gen_require(`
@@ -2001,6 +2012,7 @@ interface(`files_dontaudit_read_etc_runtime_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_rw_etc_runtime_files',`
gen_require(`
@@ -2022,6 +2034,7 @@ interface(`files_rw_etc_runtime_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_etc_runtime_files',`
gen_require(`
@@ -2436,6 +2449,24 @@ interface(`files_home_filetrans',`
########################################
## <summary>
+## Get the attributes of lost+found directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_lost_found_dirs',`
+ gen_require(`
+ type lost_found_t;
+ ')
+
+ allow $1 lost_found_t:dir getattr;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete objects in
## lost+found directories.
## </summary>
@@ -2444,6 +2475,7 @@ interface(`files_home_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_lost_found',`
gen_require(`
@@ -2538,6 +2570,7 @@ interface(`files_mounton_mnt',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_mnt_dirs',`
gen_require(`
@@ -2708,6 +2741,7 @@ interface(`files_delete_kernel_modules',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_manage_kernel_modules',`
gen_require(`
@@ -2776,6 +2810,7 @@ interface(`files_kernel_modules_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_list_world_readable',`
gen_require(`
@@ -2794,6 +2829,7 @@ interface(`files_list_world_readable',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_read_world_readable_files',`
gen_require(`
@@ -2812,6 +2848,7 @@ interface(`files_read_world_readable_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_read_world_readable_symlinks',`
gen_require(`
@@ -3902,6 +3939,7 @@ interface(`files_manage_generic_locks',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_delete_all_locks',`
gen_require(`
@@ -4139,6 +4177,7 @@ interface(`files_dontaudit_ioctl_all_pids',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_read_all_pids',`
gen_require(`
@@ -4179,6 +4218,7 @@ interface(`files_mounton_all_poly_members',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`files_delete_all_pids',`
gen_require(`
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9f2ed2c..5a7769c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -96,6 +96,7 @@ interface(`fs_associate_noxattr',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_exec_noxattr',`
gen_require(`
@@ -177,6 +178,7 @@ interface(`fs_unmount_xattr_fs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_xattr_fs',`
gen_require(`
@@ -237,6 +239,7 @@ interface(`fs_relabelfrom_xattr_fs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_get_xattr_fs_quotas',`
gen_require(`
@@ -256,6 +259,7 @@ interface(`fs_get_xattr_fs_quotas',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_set_xattr_fs_quotas',`
gen_require(`
@@ -369,6 +373,7 @@ interface(`fs_search_auto_mountpoints',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_list_auto_mountpoints',`
gen_require(`
@@ -442,6 +447,7 @@ interface(`fs_getattr_binfmt_misc_dirs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_register_binary_executable_type',`
gen_require(`
@@ -517,6 +523,7 @@ interface(`fs_unmount_cifs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_cifs',`
gen_require(`
@@ -591,6 +598,7 @@ interface(`fs_dontaudit_list_cifs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_read_cifs_files',`
gen_require(`
@@ -622,6 +630,24 @@ interface(`fs_list_noxattr_fs',`
########################################
## <summary>
+## Create, read, write, and delete all noxattrfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_dirs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
## Read all noxattrfs files.
## </summary>
## <param name="domain">
@@ -642,6 +668,25 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
+## Create, read, write, and delete all noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir rw_dir_perms;
+ allow $1 noxattrfs:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read all noxattrfs symbolic links.
## </summary>
## <param name="domain">
@@ -727,6 +772,7 @@ interface(`fs_read_cifs_symlinks',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_exec_cifs_files',`
gen_require(`
@@ -747,6 +793,7 @@ interface(`fs_exec_cifs_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_manage_cifs_dirs',`
gen_require(`
@@ -786,6 +833,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_manage_cifs_files',`
gen_require(`
@@ -989,6 +1037,7 @@ interface(`fs_unmount_dos_fs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_dos_fs',`
gen_require(`
@@ -1164,6 +1213,7 @@ interface(`fs_unmount_iso9660_fs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_iso9660_fs',`
gen_require(`
@@ -1258,6 +1308,7 @@ interface(`fs_unmount_nfs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_nfs',`
gen_require(`
@@ -1331,6 +1382,7 @@ interface(`fs_dontaudit_list_nfs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_read_nfs_files',`
gen_require(`
@@ -1388,6 +1440,7 @@ interface(`fs_write_nfs_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_exec_nfs_files',`
gen_require(`
@@ -1650,6 +1703,7 @@ interface(`fs_read_rpc_sockets',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_manage_nfs_dirs',`
gen_require(`
@@ -1689,6 +1743,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_manage_nfs_files',`
gen_require(`
@@ -1729,6 +1784,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_manage_nfs_symlinks',`
gen_require(`
@@ -2445,6 +2501,7 @@ interface(`fs_unmount_tmpfs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_tmpfs',`
gen_require(`
@@ -2968,6 +3025,7 @@ interface(`fs_unmount_all_fs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_getattr_all_fs',`
gen_require(`
@@ -3005,6 +3063,7 @@ interface(`fs_dontaudit_getattr_all_fs',`
## The type of the domain getting quotas.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_get_all_fs_quotas',`
gen_require(`
@@ -3023,6 +3082,7 @@ interface(`fs_get_all_fs_quotas',`
## The type of the domain setting quotas.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fs_set_all_quotas',`
gen_require(`
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e5f3a6d..2aa08cc 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -324,6 +324,7 @@ interface(`kernel_link_key',`
## The process type allowed to read the ring buffer.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_ring_buffer',`
gen_require(`
@@ -360,6 +361,7 @@ interface(`kernel_dontaudit_read_ring_buffer',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_change_ring_buffer_level',`
gen_require(`
@@ -378,6 +380,7 @@ interface(`kernel_change_ring_buffer_level',`
## The process type clearing the buffer.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_clear_ring_buffer',`
gen_require(`
@@ -653,6 +656,7 @@ interface(`kernel_read_proc_symlinks',`
## The process type reading the system state information.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -673,6 +677,7 @@ interface(`kernel_read_system_state',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
# cjp: this should probably go away. any
# file thats writable in proc should really
@@ -734,6 +739,7 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
## The process type reading software raid state.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_software_raid_state',`
gen_require(`
@@ -910,7 +916,7 @@ interface(`kernel_search_network_state',`
## The process type reading the state.
## </summary>
## </param>
-##
+## <rolecap/>
#
interface(`kernel_read_network_state',`
gen_require(`
@@ -932,7 +938,6 @@ interface(`kernel_read_network_state',`
## The process type reading the state.
## </summary>
## </param>
-##
#
interface(`kernel_read_network_state_symlinks',`
gen_require(`
@@ -1114,6 +1119,7 @@ interface(`kernel_read_sysctl',`
## The process type to allow to read the device sysctls.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_device_sysctls',`
gen_require(`
@@ -1135,6 +1141,7 @@ interface(`kernel_read_device_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_device_sysctls',`
gen_require(`
@@ -1155,7 +1162,6 @@ interface(`kernel_rw_device_sysctls',`
## Domain allowed access.
## </summary>
## </param>
-##
#
interface(`kernel_search_vm_sysctl',`
gen_require(`
@@ -1174,7 +1180,7 @@ interface(`kernel_search_vm_sysctl',`
## Domain allowed access.
## </summary>
## </param>
-##
+## <rolecap/>
#
interface(`kernel_read_vm_sysctls',`
gen_require(`
@@ -1195,6 +1201,7 @@ interface(`kernel_read_vm_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_vm_sysctls',`
gen_require(`
@@ -1255,7 +1262,7 @@ interface(`kernel_dontaudit_search_network_sysctl',`
## Domain allowed access.
## </summary>
## </param>
-##
+## <rolecap/>
#
interface(`kernel_read_net_sysctls',`
gen_require(`
@@ -1277,6 +1284,7 @@ interface(`kernel_read_net_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_net_sysctls',`
gen_require(`
@@ -1299,6 +1307,7 @@ interface(`kernel_rw_net_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_unix_sysctls',`
gen_require(`
@@ -1321,6 +1330,7 @@ interface(`kernel_read_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_unix_sysctls',`
gen_require(`
@@ -1342,6 +1352,7 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_hotplug_sysctls',`
gen_require(`
@@ -1363,6 +1374,7 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_hotplug_sysctls',`
gen_require(`
@@ -1384,6 +1396,7 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_modprobe_sysctls',`
gen_require(`
@@ -1405,6 +1418,7 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_modprobe_sysctls',`
gen_require(`
@@ -1483,6 +1497,7 @@ interface(`kernel_dontaudit_write_kernel_sysctl',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_kernel_sysctl',`
gen_require(`
@@ -1504,6 +1519,7 @@ interface(`kernel_rw_kernel_sysctl',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_fs_sysctls',`
gen_require(`
@@ -1525,6 +1541,7 @@ interface(`kernel_read_fs_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_fs_sysctls',`
gen_require(`
@@ -1546,6 +1563,7 @@ interface(`kernel_rw_fs_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_irq_sysctls',`
gen_require(`
@@ -1566,7 +1584,7 @@ interface(`kernel_read_irq_sysctls',`
## Domain allowed access.
## </summary>
## </param>
-##
+## <rolecap/>
#
interface(`kernel_rw_irq_sysctls',`
gen_require(`
@@ -1587,7 +1605,7 @@ interface(`kernel_rw_irq_sysctls',`
## Domain allowed access.
## </summary>
## </param>
-##
+## <rolecap/>
#
interface(`kernel_read_rpc_sysctls',`
gen_require(`
@@ -1609,7 +1627,7 @@ interface(`kernel_read_rpc_sysctls',`
## Domain allowed access.
## </summary>
## </param>
-##
+## <rolecap/>
#
interface(`kernel_rw_rpc_sysctls',`
gen_require(`
@@ -1649,6 +1667,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_read_all_sysctls',`
gen_require(`
@@ -1672,6 +1691,7 @@ interface(`kernel_read_all_sysctls',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kernel_rw_all_sysctls',`
gen_require(`
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index ed1e022..a78c551 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -13,6 +13,7 @@
## Domain target for user exemption.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mcs_killall',`
gen_require(`
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3b38c83..8a1e89c 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -21,6 +21,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mls_file_read_up',`
gen_require(`
@@ -40,6 +41,7 @@ interface(`mls_file_read_up',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mls_file_write_down',`
gen_require(`
@@ -59,6 +61,7 @@ interface(`mls_file_write_down',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mls_file_upgrade',`
gen_require(`
@@ -78,6 +81,7 @@ interface(`mls_file_upgrade',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mls_file_downgrade',`
gen_require(`
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f10b677..8ee0795 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -106,6 +106,7 @@ interface(`selinux_dontaudit_read_fs',`
## The process type to allow to get the enforcing mode.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_get_enforce_mode',`
gen_require(`
@@ -136,6 +137,7 @@ interface(`selinux_get_enforce_mode',`
## The process type to allow to set the enforcement mode.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_set_enforce_mode',`
gen_require(`
@@ -209,6 +211,7 @@ interface(`selinux_load_policy',`
## The process type allowed to set the Boolean.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_set_boolean',`
gen_require(`
@@ -249,6 +252,7 @@ interface(`selinux_set_boolean',`
## The process type to allow to set security parameters.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_set_parameters',`
gen_require(`
@@ -272,6 +276,7 @@ interface(`selinux_set_parameters',`
## The process type permitted to validate contexts.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_validate_context',`
gen_require(`
@@ -292,6 +297,7 @@ interface(`selinux_validate_context',`
## The process type allowed to compute an access vector.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_compute_access_vector',`
gen_require(`
@@ -312,6 +318,7 @@ interface(`selinux_compute_access_vector',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`selinux_compute_create_context',`
gen_require(`
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index ce3bc65..0b8fa12 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -147,6 +147,7 @@ interface(`term_create_pty',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_use_all_terms',`
gen_require(`
@@ -168,6 +169,7 @@ interface(`term_use_all_terms',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_write_console',`
gen_require(`
@@ -187,6 +189,7 @@ interface(`term_write_console',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_read_console',`
gen_require(`
@@ -206,6 +209,7 @@ interface(`term_read_console',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_use_console',`
gen_require(`
@@ -245,6 +249,7 @@ interface(`term_dontaudit_use_console',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_setattr_console',`
gen_require(`
@@ -560,6 +565,7 @@ interface(`term_dontaudit_use_ptmx',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_getattr_all_user_ptys',`
gen_require(`
@@ -603,6 +609,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_setattr_all_user_ptys',`
gen_require(`
@@ -641,6 +648,7 @@ interface(`term_relabelto_all_user_ptys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_use_all_user_ptys',`
gen_require(`
@@ -704,6 +712,7 @@ interface(`term_relabel_all_user_ptys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_getattr_unallocated_ttys',`
gen_require(`
@@ -743,6 +752,7 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_setattr_unallocated_ttys',`
gen_require(`
@@ -880,6 +890,7 @@ interface(`term_write_unallocated_ttys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_use_unallocated_ttys',`
gen_require(`
@@ -919,6 +930,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_getattr_all_user_ttys',`
gen_require(`
@@ -960,6 +972,7 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_setattr_all_user_ttys',`
gen_require(`
@@ -1018,6 +1031,7 @@ interface(`term_write_all_user_ttys',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`term_use_all_user_ttys',`
gen_require(`
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index d263fc3..89bd811 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -241,7 +241,7 @@ template(`apache_content_template',`
#######################################
## <summary>
-## The per user domain template for the apache module.
+## The per role template for the apache module.
## </summary>
## <desc>
## <p>
@@ -271,7 +271,7 @@ template(`apache_content_template',`
## </summary>
## </param>
#
-template(`apache_per_userdomain_template', `
+template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
attribute httpd_exec_scripts;
@@ -513,6 +513,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_manage_all_content',`
gen_require(`
@@ -558,6 +559,7 @@ interface(`apache_rw_cache_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_read_config',`
gen_require(`
@@ -638,6 +640,7 @@ interface(`apache_domtrans_helper',`
## The type of the terminal allow the dmidecode domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_run_helper',`
gen_require(`
@@ -659,6 +662,7 @@ interface(`apache_run_helper',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_read_log',`
gen_require(`
@@ -825,6 +829,7 @@ interface(`apache_domtrans_rotatelogs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 62fffb3..6266137 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -61,6 +61,7 @@ interface(`bind_signal',`
## The type of the terminal allow the bind domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`bind_run_ndc',`
gen_require(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 8eefbb5..dcbb5aa 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -103,6 +103,7 @@ interface(`bluetooth_dbus_chat',`
## The type of the terminal allow the bluetooth_helper domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`bluetooth_run_helper',`
gen_require(`
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
index 9d4c892..cc5e29d 100644
--- a/policy/modules/services/clockspeed.if
+++ b/policy/modules/services/clockspeed.if
@@ -40,6 +40,7 @@ interface(`clockspeed_domtrans_cli',`
## The type of the terminal allow the clockspeed_cli domain to use.
## </summary>
## </param>
+## <rolecap/>
#
template(`clockspeed_run_cli',`
gen_require(`
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index d6de082..59d8735 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the cron module.
+## The per role template for the cron module.
## </summary>
## <desc>
## <p>
@@ -33,7 +33,7 @@
## </summary>
## </param>
#
-template(`cron_per_userdomain_template',`
+template(`cron_per_role_template',`
gen_require(`
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
@@ -277,6 +277,7 @@ template(`cron_per_userdomain_template',`
## is the prefix for user_t).
## </summary>
## </param>
+## <rolecap/>
#
template(`cron_admin_template',`
gen_require(`
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index b144ee9..bd14c17 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -151,6 +151,7 @@ interface(`cups_dbus_chat_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`cups_read_config',`
gen_require(`
@@ -172,6 +173,7 @@ interface(`cups_read_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`cups_read_rw_config',`
gen_require(`
@@ -192,6 +194,7 @@ interface(`cups_read_rw_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`cups_read_log',`
gen_require(`
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 605f253..f971482 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -18,7 +18,7 @@ interface(`dbus_stub',`
#######################################
## <summary>
-## The per user domain template for the dbus module.
+## The per role template for the dbus module.
## </summary>
## <desc>
## <p>
@@ -48,7 +48,7 @@ interface(`dbus_stub',`
## </summary>
## </param>
#
-template(`dbus_per_userdomain_template',`
+template(`dbus_per_role_template',`
##############################
#
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index ea9083f..0f3a273 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -42,6 +42,7 @@ interface(`dcc_domtrans_cdcc',`
## The type of the terminal allow the cdcc domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dcc_run_cdcc',`
gen_require(`
@@ -95,6 +96,7 @@ interface(`dcc_domtrans_client',`
## The type of the terminal allow the dcc_client domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dcc_run_client',`
gen_require(`
@@ -148,6 +150,7 @@ interface(`dcc_domtrans_dbclean',`
## The type of the terminal allow the dcc_dbclean domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`dcc_run_dbclean',`
gen_require(`
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index e31a0fc..266d62c 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the ftp module.
+## The per role template for the ftp module.
## </summary>
## <desc>
## <p>
@@ -23,7 +23,7 @@
## </summary>
## </param>
#
-template(`ftp_per_userdomain_template',`
+template(`ftp_per_role_template',`
tunable_policy(`ftpd_is_daemon',`
userdom_manage_user_home_content_files($1,ftpd_t)
userdom_manage_user_home_content_symlinks($1,ftpd_t)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index 39ce526..8fe6b8d 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -88,6 +88,7 @@ interface(`inn_manage_pid',`
## Domain allowed access.
## </summary>
## </param>
+
#
interface(`inn_read_config',`
gen_require(`
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index b700f65..a475645 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -70,6 +70,7 @@ interface(`kerberos_use',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kerberos_read_config',`
gen_require(`
@@ -108,6 +109,7 @@ interface(`kerberos_dontaudit_write_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kerberos_rw_config',`
gen_require(`
@@ -127,6 +129,7 @@ interface(`kerberos_rw_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`kerberos_read_keytab',`
gen_require(`
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 5565567..c954c2b 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -28,6 +28,7 @@ interface(`ldap_list_db',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`ldap_read_config',`
gen_require(`
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index 5b19184..ad18018 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for the lpd module.
+## The per role template for the lpd module.
## </summary>
## <desc>
## <p>
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`lpd_per_userdomain_template',`
+template(`lpd_per_role_template',`
gen_require(`
type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
')
@@ -215,6 +215,7 @@ template(`lpd_per_userdomain_template',`
## is the prefix for user_t).
## </summary>
## </param>
+## <rolecap/>
#
template(`lpr_admin_template',`
gen_require(`
@@ -273,6 +274,7 @@ interface(`lpd_domtrans_checkpc',`
## The type of the terminal allow the lpd domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`lpd_run_checkpc',`
gen_require(`
@@ -334,6 +336,7 @@ interface(`lpd_manage_spool',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`lpd_read_config',`
gen_require(`
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 680594b..c769a83 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -144,7 +144,7 @@ template(`mta_base_mail_template',`
#######################################
## <summary>
-## The per user domain template for the mta module.
+## The per role template for the mta module.
## </summary>
## <desc>
## <p>
@@ -175,7 +175,7 @@ template(`mta_base_mail_template',`
## </summary>
## </param>
#
-template(`mta_per_userdomain_template',`
+template(`mta_per_role_template',`
##############################
#
@@ -255,6 +255,7 @@ template(`mta_per_userdomain_template',`
## The type of the user domain.
## </summary>
## </param>
+## <rolecap/>
#
template(`mta_admin_template',`
gen_require(`
@@ -523,6 +524,7 @@ interface(`mta_sendmail_exec',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mta_read_config',`
gen_require(`
@@ -582,6 +584,7 @@ interface(`mta_etc_filetrans_aliases',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mta_rw_aliases',`
gen_require(`
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index aca3c63..80e2098 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -30,6 +30,7 @@ interface(`munin_stream_connect',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`munin_read_config',`
gen_require(`
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 9fe9237..b75e9d0 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -27,6 +27,7 @@ interface(`mysql_signal',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mysql_stream_connect',`
gen_require(`
@@ -47,6 +48,7 @@ interface(`mysql_stream_connect',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mysql_read_config',`
gen_require(`
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index a8975bf..6aa14d2 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -10,6 +10,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`nagios_read_config',`
gen_require(`
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index e78f9aa..129e470 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -72,6 +72,7 @@ interface(`nis_use_ypbind_uncond',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`nis_use_ypbind',`
gen_require(`
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
index 122b069..8f28e33 100644
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@@ -44,6 +44,7 @@ interface(`oav_domtrans_update',`
## The type of the terminal allow the oav_update domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`oav_run_update',`
gen_require(`
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index 78bbc4b..b21e1ce 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -10,6 +10,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`openvpn_read_config',`
gen_require(`
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 3376997..5cc32e7 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -45,6 +45,7 @@ interface(`portmap_domtrans_helper',`
## The type of the terminal allow the portmap domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`portmap_run_helper',`
gen_require(`
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index b6c9bb1..ab9632b 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -187,7 +187,7 @@ template(`postfix_user_domain_template',`
########################################
## <summary>
-## The per-userdomain template for the postfix module.
+## The per role template for the postfix module.
## </summary>
## <param name="prefix">
## <summary>
@@ -201,7 +201,7 @@ template(`postfix_user_domain_template',`
## </summary>
## </param>
#
-template(`postfix_per_userdomain_template',`
+template(`postfix_per_role_template',`
gen_require(`
attribute postfix_user_domains;
type postfix_postdrop_t;
@@ -223,6 +223,7 @@ template(`postfix_per_userdomain_template',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`postfix_read_config',`
gen_require(`
@@ -349,6 +350,7 @@ interface(`postfix_domtrans_map',`
## The type of the terminal allow the postfix_map domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`postfix_run_map',`
gen_require(`
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index c842eb7..2025d03 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -69,6 +69,7 @@ interface(`postgresql_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`postgresql_read_config',`
gen_require(`
@@ -104,6 +105,7 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`postgresql_stream_connect',`
gen_require(`
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index afec620..d6453d2 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -107,6 +107,7 @@ interface(`ppp_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`ppp_run_cond',`
gen_require(`
@@ -130,6 +131,7 @@ interface(`ppp_run_cond',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`ppp_run',`
gen_require(`
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index ef23b07..c611aa5 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -47,7 +47,7 @@ interface(`pyzor_exec',`
#######################################
## <summary>
-## The per user domain template for the pyzor module.
+## The per role template for the pyzor module.
## </summary>
## <desc>
## <p>
@@ -68,7 +68,7 @@ interface(`pyzor_exec',`
## </summary>
## </param>
#
-template(`pyzor_per_userdomain_template',`
+template(`pyzor_per_role_template',`
type $1_pyzor_home_t;
userdom_user_home_content($1,$1_pyzor_home_t)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index a9ac709..09a3863 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -2,7 +2,7 @@
#######################################
## <summary>
-## The per user domain template for qmail
+## The per role template for qmail
## </summary>
## <desc>
## <p>
@@ -28,7 +28,7 @@
## </summary>
## </param>
#
-template(`qmail_per_userdomain_template',`
+template(`qmail_per_role_template',`
gen_require(`
attribute qmail_user_domains;
')
@@ -163,6 +163,7 @@ interface(`qmail_domtrans_queue',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`qmail_read_config',`
gen_require(`
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 26b3637..9a1bff6 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -101,11 +101,11 @@ template(`razor_common_domain_template',`
#######################################
## <summary>
-## The per user domain template for the razor module.
+## The per role template for the razor module.
## </summary>
## <desc>
## <p>
-## The per user domain template for the razor module.
+## The per role template for the razor module.
## </p>
## <p>
## This template is invoked automatically for each user, and
@@ -130,7 +130,7 @@ template(`razor_common_domain_template',`
## </summary>
## </param>
#
-template(`razor_per_userdomain_template',`
+template(`razor_per_role_template',`
type $1_razor_t;
domain_type($1_razor_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 9f76d61..52dd231 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -219,6 +219,7 @@ interface(`rpc_domtrans_nfsd',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`rpc_read_nfs_content',`
gen_require(`
@@ -239,6 +240,7 @@ interface(`rpc_read_nfs_content',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`rpc_manage_nfs_rw_content',`
gen_require(`
@@ -259,6 +261,7 @@ interface(`rpc_manage_nfs_rw_content',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`rpc_manage_nfs_ro_content',`
gen_require(`
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 9f1bdd8..af9ff01 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -94,6 +94,7 @@ interface(`rsync_entry_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`rsync_exec',`
gen_require(`
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 7cacf8b..0245910 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -6,7 +6,7 @@
#######################################
## <summary>
-## The per user domain template for the samba module.
+## The per role template for the samba module.
## </summary>
## <desc>
## <p>
@@ -27,7 +27,7 @@
## </summary>
## </param>
#
-template(`samba_per_userdomain_template',`
+template(`samba_per_role_template',`
gen_require(`
type smbd_t;
')
@@ -86,6 +86,7 @@ interface(`samba_domtrans_net',`
## The type of the terminal allow the samba_net domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`samba_run_net',`
gen_require(`
@@ -131,6 +132,7 @@ interface(`samba_domtrans_smbmount',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`samba_read_config',`
gen_require(`
@@ -151,6 +153,7 @@ interface(`samba_read_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`samba_rw_config',`
gen_require(`
@@ -170,6 +173,7 @@ interface(`samba_rw_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`samba_read_log',`
gen_require(`
@@ -339,6 +343,7 @@ interface(`samba_domtrans_winbind_helper',`
## The type of the terminal allow the winbind_helper domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`samba_run_winbind_helper',`
gen_require(`
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 28a0ca6..7c70d80 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -83,6 +83,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sendmail_manage_log',`
gen_require(`
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index b58b49f..3ffdc69 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -2,11 +2,11 @@
#######################################
## <summary>
-## The per user domain template for the spamassassin module.
+## The per role template for the spamassassin module.
## </summary>
## <desc>
## <p>
-## The per user domain template for the spamassassin module.
+## The per role template for the spamassassin module.
## </p>
## <p>
## This template is invoked automatically for each user, and
@@ -33,7 +33,7 @@
#
# cjp: when tunables are available, spamc stuff should be
# toggled on activation of spamc, and similarly for spamd.
-template(`spamassassin_per_userdomain_template',`
+template(`spamassassin_per_role_template',`
##############################
#
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 4a7a357..a819bfc 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -33,6 +33,7 @@ interface(`squid_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`squid_read_config',`
gen_require(`
@@ -52,6 +53,7 @@ interface(`squid_read_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`squid_read_log',`
gen_require(`
@@ -93,6 +95,7 @@ interface(`squid_append_log',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`squid_manage_logs',`
gen_require(`
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index e31296f..a801eba 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -185,7 +185,7 @@ template(`ssh_basic_client_template',`
#######################################
## <summary>
-## The per user domain template for the ssh module.
+## The per role template for the ssh module.
## </summary>
## <desc>
## <p>
@@ -216,7 +216,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
-template(`ssh_per_userdomain_template',`
+template(`ssh_per_role_template',`
gen_require(`
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if
index d646197..a3beead 100644
--- a/policy/modules/services/sysstat.if
+++ b/policy/modules/services/sysstat.if
@@ -9,6 +9,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sysstat_manage_log',`
gen_require(`
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6c6ccf2..db6a010 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -189,7 +189,7 @@ template(`xserver_common_domain_template',`
#######################################
## <summary>
-## The per user domain template for the xserver module.
+## The per role template for the xserver module.
## </summary>
## <desc>
## <p>
@@ -220,7 +220,7 @@ template(`xserver_common_domain_template',`
## </summary>
## </param>
#
-template(`xserver_per_userdomain_template',`
+template(`xserver_per_role_template',`
##############################
#
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 4c6bcc9..8f23864 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -9,6 +9,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`zebra_read_config',`
gen_require(`
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index b947f0a..bdcc29b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -64,7 +64,7 @@ template(`authlogin_common_auth_domain_template',`
#######################################
## <summary>
-## The per user domain template for the authlogin module.
+## The per role template for the authlogin module.
## </summary>
## <desc>
## <p>
@@ -96,7 +96,7 @@ template(`authlogin_common_auth_domain_template',`
## </summary>
## </param>
#
-template(`authlogin_per_userdomain_template',`
+template(`authlogin_per_role_template',`
gen_require(`
type system_chkpwd_t, shadow_t;
@@ -609,6 +609,7 @@ interface(`auth_rw_faillog',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`auth_read_lastlog',`
gen_require(`
@@ -991,6 +992,7 @@ interface(`auth_read_all_dirs_except_shadow',`
## must be negated by the caller.
## </summary>
## </param>
+## <rolecap/>
#
interface(`auth_read_all_files_except_shadow',`
gen_require(`
@@ -1174,6 +1176,7 @@ interface(`auth_setattr_login_records',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`auth_read_login_records',`
gen_require(`
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 542db15..1a2437d 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -43,6 +43,7 @@ interface(`clock_domtrans',`
## The type of the terminal allow the clock domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`clock_run',`
gen_require(`
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index 598e580..d3227c2 100644
--- a/policy/modules/system/daemontools.if
+++ b/policy/modules/system/daemontools.if
@@ -131,6 +131,7 @@ interface(`daemontools_domtrans_multilog',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`daemontools_read_svc',`
gen_require(`
@@ -150,6 +151,7 @@ interface(`daemontools_read_svc',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`daemontools_manage_svc',`
gen_require(`
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 29ec471..781d949 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -44,6 +44,7 @@ interface(`fstools_domtrans',`
## The type of the terminal allow the fs tools domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`fstools_run',`
gen_require(`
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index 79a89e7..f60389d 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -51,6 +51,7 @@ interface(`getty_use_fds',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`getty_read_log',`
gen_require(`
@@ -70,6 +71,7 @@ interface(`getty_read_log',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`getty_read_config',`
gen_require(`
@@ -89,6 +91,7 @@ interface(`getty_read_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`getty_rw_config',`
gen_require(`
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index d7a3090..707499c 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -64,6 +64,7 @@ interface(`hostname_run',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`hostname_exec',`
gen_require(`
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index e9e0ee9..9a92dd8 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -147,6 +147,7 @@ interface(`hotplug_search_config',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`hotplug_read_config',`
gen_require(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 15bc6e8..435b60c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -199,6 +199,7 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`init_exec',`
gen_require(`
@@ -387,6 +388,26 @@ interface(`init_write_initctl',`
########################################
## <summary>
+## Use telinit (Read and write initctl).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read and write initctl.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2cb9b8c..2ee4fe0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.22)
+policy_module(init,1.3.23)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index a3fc91d..b4a643f 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -89,6 +89,7 @@ interface(`ipsec_exec_mgmt',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`ipsec_read_config',`
gen_require(`
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 2d748cb..d81ec11 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -44,6 +44,7 @@ interface(`iptables_domtrans',`
## The type of the terminal allow the iptables domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`iptables_run',`
gen_require(`
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 64e70c8..439f5ea 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -43,6 +43,7 @@ interface(`libs_domtrans_ldconfig',`
## The type of the terminal allow the ldconfig domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`libs_run_ldconfig',`
gen_require(`
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 62f6100..bdcf860 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -31,6 +31,7 @@ interface(`logging_log_file',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_read_audit_log',`
gen_require(`
@@ -85,6 +86,7 @@ interface(`logging_domtrans_auditctl',`
## The type of the terminal allow the auditctl domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_run_auditctl',`
gen_require(`
@@ -179,6 +181,7 @@ interface(`logging_stream_connect_auditd',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_manage_audit_config',`
gen_require(`
@@ -199,6 +202,7 @@ interface(`logging_manage_audit_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_manage_audit_log',`
gen_require(`
@@ -302,6 +306,7 @@ interface(`logging_send_syslog_msg',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_read_audit_config',`
gen_require(`
@@ -439,6 +444,7 @@ interface(`logging_append_all_logs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_read_all_logs',`
gen_require(`
@@ -482,6 +488,7 @@ interface(`logging_exec_all_logs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_manage_all_logs',`
gen_require(`
@@ -503,6 +510,7 @@ interface(`logging_manage_all_logs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_read_generic_logs',`
gen_require(`
@@ -564,6 +572,7 @@ interface(`logging_rw_generic_logs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`logging_manage_generic_logs',`
gen_require(`
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 193069c..94e3014 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -43,6 +43,7 @@ interface(`lvm_domtrans',`
## The type of the terminal allow the LVM domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`lvm_run',`
gen_require(`
@@ -63,6 +64,7 @@ interface(`lvm_run',`
## The type of the process performing this action.
## </summary>
## </param>
+## <rolecap/>
#
interface(`lvm_read_config',`
gen_require(`
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 0c934e1..549b4fb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -9,6 +9,7 @@
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`miscfiles_read_certs',`
gen_require(`
@@ -29,6 +30,7 @@ interface(`miscfiles_read_certs',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`miscfiles_read_fonts',`
gen_require(`
@@ -53,6 +55,7 @@ interface(`miscfiles_read_fonts',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`miscfiles_manage_fonts',`
gen_require(`
@@ -180,6 +183,7 @@ interface(`miscfiles_dontaudit_search_man_pages',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`miscfiles_read_man_pages',`
gen_require(`
@@ -245,6 +249,7 @@ interface(`miscfiles_manage_man_pages',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`miscfiles_read_public_files',`
gen_require(`
@@ -266,6 +271,7 @@ interface(`miscfiles_read_public_files',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`miscfiles_manage_public_files',`
gen_require(`
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index b1dca23..415ce86 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -29,6 +29,7 @@ interface(`modutils_read_module_deps',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`modutils_read_module_config',`
gen_require(`
@@ -130,6 +131,7 @@ interface(`modutils_domtrans_insmod',`
## The type of the terminal allow the insmod domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`modutils_run_insmod',`
gen_require(`
@@ -203,6 +205,7 @@ interface(`modutils_domtrans_depmod',`
## The type of the terminal allow the depmod domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`modutils_run_depmod',`
gen_require(`
@@ -276,6 +279,7 @@ interface(`modutils_domtrans_update_mods',`
## The type of the terminal allow the update_modules domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`modutils_run_update_mods',`
gen_require(`
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index d9c0af3..19f3dff 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -44,6 +44,7 @@ interface(`mount_domtrans',`
## The type of the terminal allow the mount domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`mount_run',`
gen_require(`
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
index 15155f4..1a01059 100644
--- a/policy/modules/system/pcmcia.if
+++ b/policy/modules/system/pcmcia.if
@@ -100,6 +100,7 @@ interface(`pcmcia_domtrans_cardctl',`
## The type of the terminal allow the cardmgr domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`pcmcia_run_cardctl',`
gen_require(`
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 1c59671..6d87f29 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -46,6 +46,7 @@ interface(`seutil_domtrans_checkpolicy',`
## The type of the terminal allow the checkpolicy domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_checkpolicy',`
gen_require(`
@@ -66,6 +67,7 @@ interface(`seutil_run_checkpolicy',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_exec_checkpolicy',`
gen_require(`
@@ -122,6 +124,7 @@ interface(`seutil_domtrans_loadpolicy',`
## The type of the terminal allow the load_policy domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_loadpolicy',`
gen_require(`
@@ -217,6 +220,7 @@ interface(`seutil_domtrans_newrole',`
## The type of the terminal allow the newrole domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_newrole',`
gen_require(`
@@ -348,6 +352,7 @@ interface(`seutil_domtrans_restorecon',`
## The type of the terminal allow the restorecon domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_restorecon',`
gen_require(`
@@ -368,6 +373,7 @@ interface(`seutil_run_restorecon',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_exec_restorecon',`
gen_require(`
@@ -453,6 +459,7 @@ interface(`seutil_init_script_domtrans_runinit',`
## The type of the terminal allow the run_init domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_runinit',`
gen_require(`
@@ -574,6 +581,7 @@ interface(`seutil_domtrans_setfiles',`
## The type of the terminal allow the setfiles domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_setfiles',`
gen_require(`
@@ -653,6 +661,7 @@ interface(`seutil_dontaudit_read_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_read_config',`
gen_require(`
@@ -675,6 +684,7 @@ interface(`seutil_read_config',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_manage_selinux_config',`
gen_require(`
@@ -715,6 +725,7 @@ interface(`seutil_search_default_contexts',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_read_default_contexts',`
gen_require(`
@@ -757,6 +768,7 @@ interface(`seutil_manage_default_contexts',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_read_file_contexts',`
gen_require(`
@@ -801,6 +813,7 @@ interface(`seutil_rw_file_contexts',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_manage_file_contexts',`
gen_require(`
@@ -932,6 +945,7 @@ interface(`seutil_read_src_policy',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_manage_src_policy',`
gen_require(`
@@ -990,6 +1004,7 @@ interface(`seutil_domtrans_semanage',`
## The type of the terminal allow the semanage domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`seutil_run_semanage',`
gen_require(`
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index be11fc0..c8813eb 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -44,6 +44,7 @@ interface(`sysnet_domtrans_dhcpc',`
## The type of the terminal allow the clock domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sysnet_run_dhcpc',`
gen_require(`
@@ -82,6 +83,7 @@ interface(`sysnet_sigchld_dhcpc',`
## The domain sending the SIGKILL.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sysnet_kill_dhcpc',`
gen_require(`
@@ -136,6 +138,7 @@ interface(`sysnet_signull_dhcpc',`
## The domain sending the signal.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sysnet_signal_dhcpc',`
gen_require(`
@@ -359,6 +362,7 @@ interface(`sysnet_domtrans_ifconfig',`
## The type of the terminal allow the ifconfig domain to use.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sysnet_run_ifconfig',`
gen_require(`
@@ -478,6 +482,7 @@ interface(`sysnet_dhcp_state_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`sysnet_dns_name_resolve',`
gen_require(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 00a7dd6..33a436e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2,19 +2,15 @@
#######################################
## <summary>
-## The template containing rules common to unprivileged
-## users and administrative users.
+## The template containing the most basic rules common to all users.
## </summary>
## <desc>
## <p>
-## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
+## The template containing the most basic rules common to all users.
## </p>
## <p>
-## This generally should not be used, rather the
-## unpriv_user_template or admin_user_template should
-## be used.
+## This template creates a user domain, types, and
+## rules for the user's tty and pty.
## </p>
## </desc>
## <param name="userdomain_prefix">
@@ -23,9 +19,9 @@
## is the prefix for user_t).
## </summary>
## </param>
+## <rolebase/>
#
-template(`base_user_template',`
-
+template(`userdom_base_user_template',`
attribute $1_file_type;
type $1_t, userdomain;
@@ -37,56 +33,14 @@ template(`base_user_template',`
role $1_r types $1_t;
allow system_r $1_r;
- # user pseudoterminal
type $1_devpts_t;
term_user_pty($1_t,$1_devpts_t)
files_type($1_devpts_t)
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
-
- type $1_tmp_t, $1_file_type;
- files_tmp_file($1_tmp_t)
-
- type $1_tmpfs_t;
- files_tmpfs_file($1_tmpfs_t)
-
- # types for network-obtained content
- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
- files_type($1_untrusted_content_t)
- files_poly_member($1_untrusted_content_t)
-
- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
- files_tmp_file($1_untrusted_content_tmp_t)
-
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
- ##############################
- #
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- ##############################
- #
- # User domain Local policy
- #
-
- allow $1_t self:capability { setgid chown fowner };
- dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_t self:process { ptrace setfscreate };
+ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -96,57 +50,13 @@ template(`base_user_template',`
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-
- # evolution and gnome-session try to create a netlink socket
- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-
- # execute files in the home directory
- can_exec($1_t,$1_home_t)
-
- # full control of the home directory
- allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
- allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
- allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
- allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
- type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
- files_search_home($1_t)
-
- can_exec($1_t,$1_tmp_t)
-
- # user temporary files
- allow $1_t $1_tmp_t:file create_file_perms;
- allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmp_t:dir create_dir_perms;
- allow $1_t $1_tmp_t:sock_file create_file_perms;
- allow $1_t $1_tmp_t:fifo_file create_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
- # Bind to a Unix domain socket in /tmp.
- # cjp: this is combination is not checked and should be removed
- allow $1_t $1_tmp_t:unix_stream_socket name_bind;
- allow $1_t $1_tmpfs_t:dir rw_dir_perms;
- allow $1_t $1_tmpfs_t:file create_file_perms;
- allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmpfs_t:sock_file create_file_perms;
- allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
+ allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
- # Allow user to relabel untrusted content
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
-
- allow $1_t unpriv_userdomain:fd use;
-
kernel_read_kernel_sysctls($1_t)
- kernel_read_net_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -154,78 +64,23 @@ template(`base_user_template',`
kernel_dontaudit_getattr_unlabeled_sockets($1_t)
kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
- # Very permissive allowing every domain to see every type:
- kernel_get_sysvipc_info($1_t)
- # Find CDROM devices:
- kernel_read_device_sysctls($1_t)
-
- dev_rw_power_management($1_t)
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
-
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_udp_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_udp_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_bind_all_nodes($1_t)
- corenet_udp_bind_all_nodes($1_t)
- corenet_udp_bind_generic_port($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-
- dev_read_input($1_t)
- dev_read_misc($1_t)
- dev_write_misc($1_t)
- dev_write_sound($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
- dev_read_rand($1_t)
- dev_read_urand($1_t)
- # open office is looking for the following
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
-
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
-
- # cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
-
- # for eject
- storage_getattr_fixed_disk_dev($1_t)
-
- auth_read_login_records($1_t)
- auth_dontaudit_write_login_records($1_t)
- auth_search_pam_console_data($1_t)
- auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- corecmd_exec_bin($1_t)
- corecmd_exec_sbin($1_t)
- corecmd_exec_ls($1_t)
-
- domain_use_interactive_fds($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
domain_dontaudit_getattr_all_domains($1_t)
domain_dontaudit_getsession_all_domains($1_t)
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
- # Check to see if cdrom is mounted
- files_search_mnt($1_t)
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_read_usr_files($1_t)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+ files_list_world_readable($1_t)
+ files_read_world_readable_files($1_t)
+ files_read_world_readable_symlinks($1_t)
+ files_read_world_readable_pipes($1_t)
+ files_read_world_readable_sockets($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
files_dontaudit_getattr_non_security_files($1_t)
@@ -235,34 +90,658 @@ template(`base_user_template',`
files_dontaudit_getattr_non_security_blk_files($1_t)
files_dontaudit_getattr_non_security_chr_files($1_t)
- # Caused by su - init scripts
- init_dontaudit_use_script_ptys($1_t)
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+ libs_exec_ld_so($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ tunable_policy(`allow_execmem',`
+ # Allow loading DSOs that require executable stack.
+ allow $1_t self:process execmem;
+ ')
+
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a home directory
+## that the user has read-only access.
+## </summary>
+## <desc>
+## <p>
+## The template for creating a home directory
+## that the user has read-only access.
+## </p>
+## <p>
+## This does not allow execute access.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_ro_home_template',`
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_type($1_home_t)
+ files_associate_tmp($1_home_t)
+ fs_associate_tmpfs($1_home_t)
+
+ # type of home directory
+ type $1_home_dir_t, home_dir_type, home_type;
+ files_type($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
+
+ ##############################
+ #
+ # User home directory file rules
+ #
+
+ allow $1_file_type $1_home_t:filesystem associate;
+
+ # Rules used to associate a homedir as a mountpoint
+ allow $1_home_t self:filesystem associate;
+
+ ##############################
+ #
+ # Domain access to home dir
+ #
+
+ # read-only home directory
+ allow $1_t $1_home_t:file { read_file_perms entrypoint };
+ allow $1_t $1_home_t:lnk_file read_file_perms;
+ allow $1_t $1_home_t:dir list_dir_perms;
+ allow $1_t $1_home_t:sock_file read_file_perms;
+ allow $1_t $1_home_t:fifo_file read_file_perms;
+ allow $1_t $1_home_dir_t:dir list_dir_perms;
+ files_list_home($1_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs_dirs($1_t)
+ fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
+ fs_read_nfs_named_sockets($1_t)
+ fs_read_nfs_named_pipes($1_t)
+ ',`
+ fs_dontaudit_read_nfs_dirs($1_t)
+ fs_dontaudit_read_nfs_files($1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs_dirs($1_t)
+ fs_read_cifs_files($1_t)
+ fs_read_cifs_symlinks($1_t)
+ fs_read_cifs_named_sockets($1_t)
+ fs_read_cifs_named_pipes($1_t)
+ ',`
+ fs_dontaudit_list_cifs_dirs($1_t)
+ fs_dontaudit_read_cifs_files($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a home directory
+## that the user has full access.
+## </summary>
+## <desc>
+## <p>
+## The template for creating a home directory
+## that the user has full access.
+## </p>
+## <p>
+## This does not allow execute access.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_manage_home_template',`
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_type($1_home_t)
+ files_associate_tmp($1_home_t)
+ fs_associate_tmpfs($1_home_t)
+
+ # type of home directory
+ type $1_home_dir_t, home_dir_type, home_type;
+ files_type($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
+
+ ##############################
+ #
+ # User home directory file rules
+ #
+
+ allow $1_file_type $1_home_t:filesystem associate;
+
+ # Rules used to associate a homedir as a mountpoint
+ allow $1_home_t self:filesystem associate;
+
+ ##############################
+ #
+ # Domain access to home dir
+ #
+
+ # full control of the home directory
+ allow $1_t $1_home_t:file { manage_file_perms relabelfrom relabelto entrypoint };
+ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:dir { manage_dir_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:sock_file { manage_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:fifo_file { manage_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_dir_t:dir { manage_dir_perms relabelfrom relabelto };
+ type_transition $1_t $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
+ files_list_home($1_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ fs_manage_nfs_symlinks($1_t)
+ fs_manage_nfs_named_sockets($1_t)
+ fs_manage_nfs_named_pipes($1_t)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1_t)
+ fs_dontaudit_manage_nfs_files($1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ fs_manage_cifs_symlinks($1_t)
+ fs_manage_cifs_named_sockets($1_t)
+ fs_manage_cifs_named_pipes($1_t)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1_t)
+ fs_dontaudit_manage_cifs_files($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for allowing the user
+## to execute files in their home directory.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_exec_home_template',`
+ can_exec($1_t,$1_home_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for polyinstantiating
+## a user home directory.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_poly_home_template',`
+ ifdef(`enable_polyinstantiation',`
+ type_member $1_t $1_home_dir_t:dir $1_home_t;
+
+ files_poly($1_home_dir_t)
+ files_poly_member($1_home_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for full access to the temporary directories.
+## </summary>
+## <desc>
+## <p>
+## The template for full access to the temporary directories.
+## This creates a derived type for the user
+## temporary type. Execute access is not given.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_manage_tmp_template',`
+ type $1_tmp_t, $1_file_type;
+ files_tmp_file($1_tmp_t)
+
+ allow $1_t $1_tmp_t:dir manage_dir_perms;
+ allow $1_t $1_tmp_t:file manage_file_perms;
+ allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmp_t:sock_file manage_file_perms;
+ allow $1_t $1_tmp_t:fifo_file manage_file_perms;
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+## The template for execute access to the user temporary files.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_exec_tmp_template',`
+ can_exec($1_t,$1_tmp_t)
+')
+
+#######################################
+## <summary>
+## The template for a polyinstantiated temporary directory.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_poly_tmp_template',`
+ ifdef(`enable_polyinstantiation',`
+ files_poly_member_tmp($1_t,$1_tmp_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a tmpfs type
+## that the user has full access.
+## </summary>
+## <desc>
+## <p>
+## The template for creating a tmpfs type
+## that the user has full access.
+## </p>
+## <p>
+## This does not allow execute access.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_manage_tmpfs_template',`
+ type $1_tmpfs_t, $1_file_type;
+ files_tmpfs_file($1_tmpfs_t)
+
+ allow $1_t $1_tmpfs_t:dir rw_dir_perms;
+ allow $1_t $1_tmpfs_t:file manage_file_perms;
+ allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmpfs_t:sock_file manage_file_perms;
+ allow $1_t $1_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+## The template for creating a set of types
+## for untrusted content.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_untrusted_content_template',`
+ gen_require(`
+ attribute $1_file_type;
+ attribute untrusted_content_type, untrusted_content_tmp_type;
+ type $1_t;
+ ')
+
+ # types for network-obtained content
+ type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+ files_type($1_untrusted_content_t)
+ files_poly_member($1_untrusted_content_t)
+
+ type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+ files_tmp_file($1_untrusted_content_tmp_t)
+
+ # Allow user to relabel untrusted content
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabelto relabelfrom };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
+ tunable_policy(`read_untrusted_content',`
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
+ ',`
+ dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
+ dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
+ ')
+')
+
+#######################################
+## <summary>
+## The template allowing the user to execute
+## generic programs, such as those found in /bin,
+## /sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_exec_generic_pgms_template',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ corecmd_exec_bin($1_t)
+ corecmd_exec_sbin($1_t)
+ corecmd_exec_ls($1_t)
+')
+
+#######################################
+## <summary>
+## The template allowing the user basic
+## network permissions
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_basic_networking_template',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_udp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_all_client_packets($1_t)
+')
+
+#######################################
+## <summary>
+## The template for creating a user xwindows client.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_xwindows_client_template',`
+ gen_require(`
+ type $1_t, $1_tmpfs_t;
+ ')
+
+ optional_policy(`
+ dev_rw_xserver_misc($1_t)
+ dev_rw_power_management($1_t)
+ dev_read_input($1_t)
+ dev_read_misc($1_t)
+ dev_write_misc($1_t)
+ # open office is looking for the following
+ dev_getattr_agp_dev($1_t)
+ dev_dontaudit_rw_dri($1_t)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
+
+ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for allowing the user to change passwords.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_change_password_template',`
+ gen_require(`
+ type $1_t, $1_devpts_t, $1_tty_device_t;
+ role $1_r;
+ ')
+
+ optional_policy(`
+ usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ ')
+')
+
+#######################################
+## <summary>
+## The template for allowing the user to change roles.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_role_change_template',`
+ gen_require(`
+ role $1_r, $2_r;
+ type $1_t, $2_t;
+ type $1_devpts_t, $2_devpts_t;
+ type $1_tty_device_t, $2_tty_device_t;
+ ')
+
+ allow $1_r $2_r;
+ type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+ type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+ # avoid annoying messages on terminal hangup
+ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+#######################################
+## <summary>
+## The template containing rules common to unprivileged
+## users and administrative users.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_common_user_template',`
+
+ userdom_base_user_template($1)
+
+ userdom_manage_home_template($1)
+ userdom_exec_home_template($1)
+
+ userdom_manage_tmp_template($1)
+ userdom_exec_tmp_template($1)
+
+ userdom_manage_tmpfs_template($1)
+
+ userdom_untrusted_content_template($1)
+
+ userdom_basic_networking_template($1)
+
+ userdom_exec_generic_pgms_template($1)
+
+ userdom_xwindows_client_template($1)
+
+ userdom_change_password_template($1)
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:process { ptrace setfscreate };
+
+ # evolution and gnome-session try to create a netlink socket
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+ allow $1_t unpriv_userdomain:fd use;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_net_sysctls($1_t)
+ # Very permissive allowing every domain to see every type:
+ kernel_get_sysvipc_info($1_t)
+ # Find CDROM devices:
+ kernel_read_device_sysctls($1_t)
+
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_udp_bind_generic_port($1_t)
+
+ dev_read_sysfs($1_t)
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+ dev_write_sound($1_t)
+ dev_read_sound($1_t)
+ dev_read_sound_mixer($1_t)
+ dev_write_sound_mixer($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_exec_etc_files($1_t)
+ files_search_locks($1_t)
+ # Check to see if cdrom is mounted
+ files_search_mnt($1_t)
+ # cjp: perhaps should cut back on file reads:
+ files_read_var_files($1_t)
+ files_read_var_symlinks($1_t)
+ files_read_generic_spool($1_t)
+ files_read_var_lib_files($1_t)
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_t)
+
+ fs_get_all_fs_quotas($1_t)
+ fs_getattr_all_fs($1_t)
+ fs_getattr_all_dirs($1_t)
+ fs_search_auto_mountpoints($1_t)
+
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+ selinux_compute_access_vector($1_t)
+ selinux_compute_create_context($1_t)
+ selinux_compute_relabel_context($1_t)
+ selinux_compute_user_contexts($1_t)
+
+ # for eject
+ storage_getattr_fixed_disk_dev($1_t)
+
+ auth_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
+ auth_search_pam_console_data($1_t)
+ auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+
+ init_read_utmp($1_t)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_write_utmp($1_t)
+ # Stop warnings about access to /dev/console
+ init_dontaudit_use_fds($1_t)
+ init_dontaudit_use_script_fds($1_t)
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
libs_exec_lib_files($1_t)
logging_dontaudit_getattr_all_logs($1_t)
- miscfiles_read_localization($1_t)
+ miscfiles_read_man_pages($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
+ seutil_read_config($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
-
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
- ')
+ # for when the network connection is killed
+ # this is needed when a login role can change
+ # to this one.
+ seutil_dontaudit_signal_newrole($1_t)
tunable_policy(`read_default_t',`
files_list_default($1_t)
@@ -275,39 +754,6 @@ template(`base_user_template',`
files_dontaudit_read_default_files($1_t)
')
- tunable_policy(`read_untrusted_content',`
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
- ',`
- dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
- dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_t)
- fs_manage_nfs_files($1_t)
- fs_manage_nfs_symlinks($1_t)
- fs_manage_nfs_named_sockets($1_t)
- fs_manage_nfs_named_pipes($1_t)
- fs_exec_nfs_files($1_t)
- ',`
- fs_dontaudit_manage_nfs_dirs($1_t)
- fs_dontaudit_manage_nfs_files($1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_t)
- fs_manage_cifs_files($1_t)
- fs_manage_cifs_symlinks($1_t)
- fs_manage_cifs_named_sockets($1_t)
- fs_manage_cifs_named_pipes($1_t)
- fs_exec_cifs_files($1_t)
- ',`
- fs_dontaudit_manage_cifs_dirs($1_t)
- fs_dontaudit_manage_cifs_files($1_t)
- ')
-
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
@@ -333,6 +779,10 @@ template(`base_user_template',`
dbus_system_bus_client_template($1,$1_t)
optional_policy(`
+ bluetooth_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
cups_dbus_chat_config($1_t)
')
@@ -356,6 +806,11 @@ template(`base_user_template',`
inn_read_news_spool($1_t)
')
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+ modutils_read_module_config($1_t)
+ ')
+
optional_policy(`
mta_rw_spool($1_t)
')
@@ -365,10 +820,8 @@ template(`base_user_template',`
')
optional_policy(`
- ifdef(`strict_policy',`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
- ')
+ tunable_policy(`allow_user_mysql_connect',`
+ mysql_stream_connect($1_t)
')
')
@@ -395,8 +848,6 @@ template(`base_user_template',`
')
optional_policy(`
- files_getattr_var_lib_dirs($1_t)
- files_search_var_lib($1_t)
rpm_read_db($1_t)
rpm_dontaudit_manage_db($1_t)
')
@@ -410,25 +861,8 @@ template(`base_user_template',`
')
optional_policy(`
- usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- ')
-
- optional_policy(`
usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
-
- optional_policy(`
- dev_rw_xserver_misc($1_t)
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
- # certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
- # gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
- ')
')
#######################################
@@ -449,92 +883,63 @@ template(`base_user_template',`
## </summary>
## </param>
#
-template(`unpriv_user_template', `
+template(`userdom_unpriv_user_template', `
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
- base_user_template($1)
+ userdom_common_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-
typeattribute $1_home_dir_t user_home_dir_type;
- files_poly($1_home_dir_t)
-
typeattribute $1_home_t user_home_type;
- files_poly_member($1_home_t)
-
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
+ userdom_poly_home_template($1)
+ userdom_poly_tmp_template($1)
+
##############################
#
# Local policy
#
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- # Rules used to associate a homedir as a mountpoint
- allow $1_home_t self:filesystem associate;
- allow $1_file_type $1_home_t:filesystem associate;
-
# privileged home directory writers
- allow privhome $1_home_t:file create_file_perms;
+ allow privhome $1_home_t:file manage_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
- allow privhome $1_home_t:dir create_dir_perms;
- allow privhome $1_home_t:sock_file create_file_perms;
- allow privhome $1_home_t:fifo_file create_file_perms;
- type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
-
- dev_read_sysfs($1_t)
+ allow privhome $1_home_t:dir manage_dir_perms;
+ allow privhome $1_home_t:sock_file manage_file_perms;
+ allow privhome $1_home_t:fifo_file manage_file_perms;
+ type_transition privhome $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
corecmd_exec_all_executables($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ # Need the following rule to allow users to run vpnc
+ corenet_tcp_bind_xserver_port($1_t)
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_list_home($1_t)
- files_read_usr_files($1_t)
files_exec_usr_files($1_t)
- # Read directories and files with the readable_t type.
- # This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
# cjp: why?
files_read_kernel_symbol_table($1_t)
- init_read_utmp($1_t)
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
- init_dontaudit_write_utmp($1_t)
- # Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
-
- miscfiles_read_man_pages($1_t)
-
- seutil_read_config($1_t)
- # Allow users to execute checkpolicy without a domain transition
- # so it can be used without privilege to write real binary policy file
- seutil_exec_checkpolicy($1_t)
+ ifndef(`enable_mls',`
+ fs_exec_noxattr($1_t)
- ifdef(`enable_polyinstantiation',`
- type_member $1_t $1_home_dir_t:dir $1_home_t;
- files_poly_member_tmp($1_t,$1_tmp_t)
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ # Write floppies
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ ',`
+ storage_raw_read_removable_device($1_t)
+ ')
')
tunable_policy(`user_dmesg',`
@@ -543,13 +948,6 @@ template(`unpriv_user_template', `
kernel_dontaudit_read_ring_buffer($1_t)
')
- # Allow users to rw usb devices
- tunable_policy(`user_rw_usb',`
- dev_rw_usbfs($1_t)
- ',`
- dev_read_usbfs($1_t)
- ')
-
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -558,14 +956,6 @@ template(`unpriv_user_template', `
')
optional_policy(`
- dbus_stub($1_t)
-
- optional_policy(`
- bluetooth_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
kerberos_use($1_t)
')
@@ -573,11 +963,6 @@ template(`unpriv_user_template', `
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
- # for running depmod as part of the kernel packaging process
- optional_policy(`
- modutils_read_module_config($1_t)
- ')
-
optional_policy(`
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -588,78 +973,16 @@ template(`unpriv_user_template', `
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
- optional_policy(`
- # for when the network connection is killed
- seutil_dontaudit_signal_newrole($1_t)
- ')
-
- # Need the following rule to allow users to run vpnc
- optional_policy(`
- corenet_tcp_bind_xserver_port($1_t)
- ')
-
ifdef(`TODO',`
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- create_dir_file($1_t, noexattrfile)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- # cjp: what does this have to do with removable devices?
- allow $1_t usbtty_device_t:chr_file write;
- ',`
- fs_read_noxattr_files($1_t)
- r_dir_file($1_t, noexattrfile)
- allow $1_t removable_device_t:blk_file r_file_perms;
- ')
- ')
-
- dontaudit $1_t boot_t:lnk_file read;
- dontaudit $1_t boot_t:file read;
-
- # do not audit read on disk devices
- dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-
ifdef(`xdm.te', `
- allow xdm_t $1_home_t:lnk_file read;
- allow xdm_t $1_home_t:dir search;
- #
- # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
- #
+ # this should cause the .xsession-errors file to be written to /tmp
dontaudit xdm_t $1_home_t:file rw_file_perms;
')
- ifdef(`ftpd.te', `
- tunable_policy(`ftp_home_dir',`
- file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
- ')
- ')
-
- ifdef(`useradd.te', `
- # Useradd relabels /etc/skel files so needs these privs
- allow useradd_t $1_file_type:dir create_dir_perms;
- allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
- ')
-
- # Stat lost+found.
- allow $1_t lost_found_t:dir getattr;
-
- # Read /var, /var/spool, /var/run.
- r_dir_file($1_t, var_t)
- # what about pipes and sockets under /var/spool?
- r_dir_file($1_t, var_spool_t)
- r_dir_file($1_t, var_run_t)
- allow $1_t var_lib_t:dir r_dir_perms;
- allow $1_t var_lib_t:file { getattr read };
-
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
dontaudit $1_t sysadm_home_t:file { read append };
-
- allow $1_t initrc_t:fifo_file write;
') dnl end TODO
')
@@ -692,7 +1015,7 @@ template(`unpriv_user_template', `
## </summary>
## </param>
#
-template(`admin_user_template',`
+template(`userdom_admin_user_template',`
gen_require(`
class passwd { passwd chfn chsh rootok crontab };
')
@@ -703,7 +1026,7 @@ template(`admin_user_template',`
#
# Inherit rules for ordinary users.
- base_user_template($1)
+ userdom_common_user_template($1)
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
@@ -736,11 +1059,6 @@ template(`admin_user_template',`
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -762,34 +1080,16 @@ template(`admin_user_template',`
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
- dev_getattr_all_blk_files($1_t)
- dev_getattr_all_chr_files($1_t)
-
- fs_getattr_all_fs($1_t)
- fs_set_all_quotas($1_t)
- fs_exec_noxattr($1_t)
-
- # Get security policy decisions:
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
-
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
-
- term_use_console($1_t)
- term_use_unallocated_ttys($1_t)
- term_use_all_user_ptys($1_t)
- term_use_all_user_ttys($1_t)
-
- auth_getattr_shadow($1_t)
- # Manage almost all files
- auth_manage_all_files_except_shadow($1_t)
- # Relabel almost all files
- auth_relabel_all_files_except_shadow($1_t)
+ # for lsof
+ dev_getattr_mtrr_dev($1_t)
+ # Allow MAKEDEV to work
+ dev_create_all_blk_files($1_t)
+ dev_create_all_chr_files($1_t)
+ dev_delete_all_blk_files($1_t)
+ dev_delete_all_chr_files($1_t)
+ dev_rename_all_blk_files($1_t)
+ dev_rename_all_chr_files($1_t)
+ dev_create_generic_symlinks($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
@@ -807,13 +1107,27 @@ template(`admin_user_template',`
files_exec_usr_src_files($1_t)
- init_rw_initctl($1_t)
+ fs_getattr_all_fs($1_t)
+ fs_set_all_quotas($1_t)
+ fs_exec_noxattr($1_t)
+
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+
+ term_use_all_terms($1_t)
+
+ auth_getattr_shadow($1_t)
+ # Manage almost all files
+ auth_manage_all_files_except_shadow($1_t)
+ # Relabel almost all files
+ auth_relabel_all_files_except_shadow($1_t)
+
+ init_telinit($1_t)
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
- seutil_read_config($1_t)
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
@@ -822,6 +1136,13 @@ template(`admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
optional_policy(`
cron_admin_template($1,$1_t,$1_r)
')
@@ -839,65 +1160,11 @@ template(`admin_user_template',`
')
ifdef(`TODO',`
-
- # for lsof
- allow $1_t mtrr_device_t:file getattr;
- allow $1_t eventpollfs_t:file getattr;
-
- allow $1_t serial_device:chr_file setattr;
-
- allow $1_t ptyfile:chr_file getattr;
-
- # Run admin programs that require different permissions in their own domain.
- # These rules were moved into the appropriate program domain file.
-
ifdef(`xserver.te', `
- # Create files in /tmp/.X11-unix with our X servers derived
- # tmp type rather than user_xserver_tmp_t.
- file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
- ')
-
-
- ifdef(`xdm.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
')
- can_pipe_xdm($1_t)
- ')
-
- # Allow MAKEDEV to work
- allow $1_t device_t:dir rw_dir_perms;
- allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
- allow $1_t device_t:lnk_file { create read };
-
- #
- # A user who is authorized for sysadm_t may nonetheless have
- # a home directory labeled with user_home_t if the user is expected
- # to login in either user_t or sysadm_t. Hence, the derived domains
- # for programs need to be able to access user_home_t.
- #
-
- # Allow our gph domain to write to .xsession-errors.
- ifdef(`gnome-pty-helper.te', `
- allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
- allow $1_gph_t user_home_type:file create_file_perms;
- ')
-
- # Run programs from staff home directories.
- # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
- can_exec($1_t, staff_home_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- create_dir_file($1_t, noexattrfile)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- # cjp: what does this have to do with removable devices?
- allow $1_t usbtty_device_t:chr_file write;
- ',`
- r_dir_file($1_t, noexattrfile)
- storage_raw_read_removable_device($1_t)
')
') dnl endif TODO
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 49b447d..ba8819b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.30)
+policy_module(userdomain,1.3.31)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -56,106 +56,43 @@ attribute untrusted_content_tmp_type;
# Local policy
#
-define(`role_change',`
- allow $1_r $2_r;
- type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
- type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
- # avoid annoying messages on terminal hangup
- dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # macros and domains from the "strict" policy.
- unconfined_alias_domain(secadm_t)
- unconfined_alias_domain(auditadm_t)
- unconfined_alias_domain(sysadm_t)
-
- # User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-
- # compatibility for switching from strict
-# dominance { role secadm_r { role system_r; }}
-# dominance { role auditadm_r { role system_r; }}
-# dominance { role sysadm_r { role system_r; }}
-# dominance { role user_r { role system_r; }}
-# dominance { role staff_r { role system_r; }}
-
- # dont need to use the full role_change()
- allow sysadm_r system_r;
- allow sysadm_r user_r;
- allow user_r system_r;
- allow user_r sysadm_r;
- allow system_r sysadm_r;
- allow system_r sysadm_r;
-
- allow privhome user_home_t:dir manage_dir_perms;
- allow privhome user_home_t:file create_file_perms;
- allow privhome user_home_t:lnk_file create_lnk_perms;
- allow privhome user_home_t:fifo_file create_file_perms;
- allow privhome user_home_t:sock_file create_file_perms;
- allow privhome user_home_dir_t:dir rw_dir_perms;
- type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
- files_search_home(privhome)
-
- ifdef(`enable_mls',`
- allow secadm_r system_r;
- allow auditadm_r system_r;
- allow secadm_r user_r;
- allow staff_r secadm_r;
- allow staff_r auditadm_r;
- ')
-
- optional_policy(`
- samba_per_userdomain_template(user)
- ')
-',`
- admin_user_template(sysadm)
- unpriv_user_template(staff)
- unpriv_user_template(user)
+ifdef(`strict_policy',`
+ userdom_admin_user_template(sysadm)
+ userdom_unpriv_user_template(staff)
+ userdom_unpriv_user_template(user)
# user role change rules:
# sysadm_r can change to user roles
- role_change(sysadm, user)
- role_change(sysadm, staff)
+ userdom_role_change_template(sysadm, user)
+ userdom_role_change_template(sysadm, staff)
# only staff_r can change to sysadm_r
- role_change(staff, sysadm)
+ userdom_role_change_template(staff, sysadm)
ifdef(`enable_mls',`
- unpriv_user_template(secadm)
- unpriv_user_template(auditadm)
+ userdom_unpriv_user_template(secadm)
+ userdom_unpriv_user_template(auditadm)
- role_change(staff,auditadm)
- role_change(staff,secadm)
+ userdom_role_change_template(staff,auditadm)
+ userdom_role_change_template(staff,secadm)
- role_change(sysadm,secadm)
- role_change(sysadm,auditadm)
+ userdom_role_change_template(sysadm,secadm)
+ userdom_role_change_template(sysadm,auditadm)
- role_change(auditadm,secadm)
- role_change(auditadm,sysadm)
+ userdom_role_change_template(auditadm,secadm)
+ userdom_role_change_template(auditadm,sysadm)
- role_change(secadm,auditadm)
- role_change(secadm,sysadm)
+ userdom_role_change_template(secadm,auditadm)
+ userdom_role_change_template(secadm,sysadm)
')
# this should be tunable_policy, but
# currently type_change and RBAC allow
# do not work in conditionals
ifdef(`user_canbe_sysadm',`
- role_change(user,sysadm)
+ userdom_role_change_template(user,sysadm)
')
- allow privhome home_root_t:dir { getattr search };
-
########################################
#
# Sysadm local policy
@@ -211,7 +148,7 @@ ifdef(`targeted_policy',`
logging_read_audit_log(secadm_t)
logging_read_generic_logs(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
- ', `
+ ',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
@@ -495,3 +432,58 @@ ifdef(`targeted_policy',`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
')
+
+ifdef(`targeted_policy',`
+ # Define some type aliases to help with compatibility with
+ # strict policy.
+ unconfined_alias_domain(secadm_t)
+ unconfined_alias_domain(auditadm_t)
+ unconfined_alias_domain(sysadm_t)
+
+ # User home directory type.
+ type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
+ files_type(user_home_t)
+ files_associate_tmp(user_home_t)
+ fs_associate_tmpfs(user_home_t)
+
+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
+ files_type(user_home_dir_t)
+ files_associate_tmp(user_home_dir_t)
+ fs_associate_tmpfs(user_home_dir_t)
+
+ # compatibility for switching from strict
+# dominance { role secadm_r { role system_r; }}
+# dominance { role auditadm_r { role system_r; }}
+# dominance { role sysadm_r { role system_r; }}
+# dominance { role user_r { role system_r; }}
+# dominance { role staff_r { role system_r; }}
+
+ # dont need to use the full role_change()
+ allow sysadm_r system_r;
+ allow sysadm_r user_r;
+ allow user_r system_r;
+ allow user_r sysadm_r;
+ allow system_r sysadm_r;
+ allow system_r sysadm_r;
+
+ allow privhome user_home_t:dir manage_dir_perms;
+ allow privhome user_home_t:file create_file_perms;
+ allow privhome user_home_t:lnk_file create_lnk_perms;
+ allow privhome user_home_t:fifo_file create_file_perms;
+ allow privhome user_home_t:sock_file create_file_perms;
+ allow privhome user_home_dir_t:dir rw_dir_perms;
+ type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
+ files_search_home(privhome)
+
+ ifdef(`enable_mls',`
+ allow secadm_r system_r;
+ allow auditadm_r system_r;
+ allow secadm_r user_r;
+ allow staff_r secadm_r;
+ allow staff_r auditadm_r;
+ ')
+
+ optional_policy(`
+ samba_per_role_template(user)
+ ')
+')
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 0163f2f..38664f9 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -109,17 +109,28 @@ endif
# Functions
#
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
# parse-rolemap modulename,outputfile
define parse-rolemap
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# peruser-expansion modulename,outputfile
define peruser-expansion
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+ $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
+
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+ $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+ $(call parse-rolemap-compat,$1,$2)
+ $(verbose) echo "')" >> $2
endef
.PHONY: clean all xml