diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 698f055..55e1b4b 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -117,7 +117,11 @@ MODDIR = $(POLDIR)/modules
BASE_MODULE = $(MODDIR)/kernel
FLASKDIR = $(POLDIR)/flask
-APPCONF = config/appconfig
+ifneq ($(findstring targeted,$(TYPE)),)
+ APPCONF := config/appconfig-targeted
+else
+ APPCONF := config/appconfig-strict
+endif
M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
GLOBALTUN := $(POLDIR)/global_tunables
diff --git a/refpolicy/config/appconfig-strict/dbus_contexts b/refpolicy/config/appconfig-strict/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/dbus_contexts
@@ -0,0 +1,6 @@
+
+
+
+
+
diff --git a/refpolicy/config/appconfig-strict/default_contexts b/refpolicy/config/appconfig-strict/default_contexts
new file mode 100644
index 0000000..0160cdd
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/default_contexts
@@ -0,0 +1,12 @@
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
+system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/refpolicy/config/appconfig-strict/default_type b/refpolicy/config/appconfig-strict/default_type
new file mode 100644
index 0000000..5212ca4
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/default_type
@@ -0,0 +1,3 @@
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
diff --git a/refpolicy/config/appconfig-strict/failsafe_context b/refpolicy/config/appconfig-strict/failsafe_context
new file mode 100644
index 0000000..2f96c9f
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/refpolicy/config/appconfig-strict/initrc_context b/refpolicy/config/appconfig-strict/initrc_context
new file mode 100644
index 0000000..7fcf70b
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/refpolicy/config/appconfig-strict/media b/refpolicy/config/appconfig-strict/media
new file mode 100644
index 0000000..de2a652
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/refpolicy/config/appconfig-strict/removable_context b/refpolicy/config/appconfig-strict/removable_context
new file mode 100644
index 0000000..d4921f0
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/refpolicy/config/appconfig-strict/root_default_contexts b/refpolicy/config/appconfig-strict/root_default_contexts
new file mode 100644
index 0000000..acdcc08
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/root_default_contexts
@@ -0,0 +1,9 @@
+system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/refpolicy/config/appconfig-strict/userhelper_context b/refpolicy/config/appconfig-strict/userhelper_context
new file mode 100644
index 0000000..081e93b
--- /dev/null
+++ b/refpolicy/config/appconfig-strict/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/refpolicy/config/appconfig-targeted/dbus_contexts b/refpolicy/config/appconfig-targeted/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/dbus_contexts
@@ -0,0 +1,6 @@
+
+
+
+
+
diff --git a/refpolicy/config/appconfig-targeted/default_contexts b/refpolicy/config/appconfig-targeted/default_contexts
new file mode 100644
index 0000000..06b859a
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/default_contexts
@@ -0,0 +1,6 @@
+system_r:unconfined_t system_r:unconfined_t
+system_r:initrc_t system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t system_r:unconfined_t
+system_r:crond_t system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/default_type b/refpolicy/config/appconfig-targeted/default_type
new file mode 100644
index 0000000..7ba74a9
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/default_type
@@ -0,0 +1 @@
+system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/failsafe_context b/refpolicy/config/appconfig-targeted/failsafe_context
new file mode 100644
index 0000000..7ba74a9
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/failsafe_context
@@ -0,0 +1 @@
+system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/initrc_context b/refpolicy/config/appconfig-targeted/initrc_context
new file mode 100644
index 0000000..2fd9ae4
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/initrc_context
@@ -0,0 +1 @@
+user_u:system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/root_default_contexts b/refpolicy/config/appconfig-targeted/root_default_contexts
new file mode 100644
index 0000000..5e3e986
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/root_default_contexts
@@ -0,0 +1,2 @@
+system_r:unconfined_t system_r:unconfined_t
+system_r:initrc_t system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/userhelper_context b/refpolicy/config/appconfig-targeted/userhelper_context
new file mode 100644
index 0000000..4d47460
--- /dev/null
+++ b/refpolicy/config/appconfig-targeted/userhelper_context
@@ -0,0 +1 @@
+system_u:system_r:unconfined_t
diff --git a/refpolicy/config/appconfig/dbus_contexts b/refpolicy/config/appconfig/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
diff --git a/refpolicy/config/appconfig/default_contexts b/refpolicy/config/appconfig/default_contexts
deleted file mode 100644
index 0160cdd..0000000
--- a/refpolicy/config/appconfig/default_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-system_r:sulogin_t sysadm_r:sysadm_t
-system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-system_r:remote_login_t user_r:user_t staff_r:staff_t
-system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
-system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
-staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
-user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/refpolicy/config/appconfig/default_type b/refpolicy/config/appconfig/default_type
deleted file mode 100644
index 5212ca4..0000000
--- a/refpolicy/config/appconfig/default_type
+++ /dev/null
@@ -1,3 +0,0 @@
-sysadm_r:sysadm_t
-staff_r:staff_t
-user_r:user_t
diff --git a/refpolicy/config/appconfig/failsafe_context b/refpolicy/config/appconfig/failsafe_context
deleted file mode 100644
index 2f96c9f..0000000
--- a/refpolicy/config/appconfig/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-sysadm_r:sysadm_t
diff --git a/refpolicy/config/appconfig/initrc_context b/refpolicy/config/appconfig/initrc_context
deleted file mode 100644
index 7fcf70b..0000000
--- a/refpolicy/config/appconfig/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:initrc_t
diff --git a/refpolicy/config/appconfig/media b/refpolicy/config/appconfig/media
deleted file mode 100644
index de2a652..0000000
--- a/refpolicy/config/appconfig/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t
-floppy system_u:object_r:removable_device_t
-disk system_u:object_r:fixed_disk_device_t
diff --git a/refpolicy/config/appconfig/removable_context b/refpolicy/config/appconfig/removable_context
deleted file mode 100644
index d4921f0..0000000
--- a/refpolicy/config/appconfig/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t
diff --git a/refpolicy/config/appconfig/root_default_contexts b/refpolicy/config/appconfig/root_default_contexts
deleted file mode 100644
index acdcc08..0000000
--- a/refpolicy/config/appconfig/root_default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
-staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/refpolicy/config/appconfig/userhelper_context b/refpolicy/config/appconfig/userhelper_context
deleted file mode 100644
index 081e93b..0000000
--- a/refpolicy/config/appconfig/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:sysadm_r:sysadm_t
diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
index df25edb..be9b34d 100644
--- a/refpolicy/policy/constraints
+++ b/refpolicy/policy/constraints
@@ -33,38 +33,65 @@
# SELinux process identity change constraint:
#
constrain process transition
- ( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
-ifdef(`crond.te', `
- or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
-')
-ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)
+ ( u1 == u2 or
+
+ifdef(`targeted_policy',`
+ t1 == can_change_process_identity
+',`
+ ( t1 == can_change_process_identity and t2 == userdomain )
+ ifdef(`crond.te',`
+ or (
+ t1 == crond_t
+ and (
+ t2 == user_crond_domain
+ or u2 == system_u
+ )
+ )
+ ')
+
+ ifdef(`userhelper.te',`
+ or (t1 == userhelperdomain)
+ ')
+
+ ifdef(`TODO',`
+ or (t1 == priv_system_role and u2 == system_u )
+ ') dnl end TODO
')
-ifdef(`TODO',`
- or (t1 == priv_system_role and u2 == system_u )
-') dnl end TODO
- );
+);
#
# SELinux process role change constraint:
#
constrain process transition
- ( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
-ifdef(`crond.te', `
- or (t1 == crond_t and t2 == user_crond_domain)
-')
-ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)
-')
-ifdef(`postfix.te', `
-ifdef(`direct_sysadm_daemon',
- `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )
-')
+ ( r1 == r2 or
+ifdef(`targeted_policy',`
+ t1 == can_change_process_role
+',`
+ ( t1 == can_change_process_role and t2 == userdomain )
+
+ ifdef(`crond.te',`
+ or (t1 == crond_t and t2 == user_crond_domain)
+ ')
+
+ ifdef(`userhelper.te',`
+ or (t1 == userhelperdomain)
+ ')
+
+ ifdef(`postfix.te',`
+ ifdef(`direct_sysadm_daemon',`
+ or (
+ t1 == sysadm_mail_t
+ and t2 == system_mail_t
+ and r2 == system_r
+ )
+ ')
+ ')
+
+ ifdef(`TODO',`
+ or (t1 == priv_system_role and r2 == system_r )
+ ') dnl end TODO
')
-ifdef(`TODO',`
- or (t1 == priv_system_role and r2 == system_r )
-') dnl end TODO
- );
+);
#
# SELinux dynamic transition constraint:
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 9b0abcf..5ea4411 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1032,8 +1032,11 @@ interface(`kernel_unconfined',`
# allow $1 proc_fs:{ dir file } *;
allow $1 sysctl_t:{ dir file } *;
+
allow $1 kernel_t:system *;
+
allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
+ allow $1 unlabeled_t:filesystem *;
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index bf5fa47..759046a 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -211,3 +211,7 @@ neverallow ~can_load_kernmodule self:capability sys_module;
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
init_sigchld(unlabeled_t)
+
+ifdef(`targeted_policy',`
+ allow unlabeled_t self:filesystem associate;
+')
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
index 7ee474b..2d53cc0 100644
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@@ -12,6 +12,12 @@ policy_module(corecommands,1.0)
type bin_t;
files_type(bin_t)
+ifdef(`targeted_policy',`
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+ typealias bin_t alias su_exec_t;
+')
+
#
# sbin_t is the type of files in the system sbin directories.
#
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 2c975b9..d67e739 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -47,6 +47,11 @@ interface(`domain_type',`
# send init a sigchld
init_sigchld($1)
+ ifdef(`targeted_policy',`
+ unconfined_use_fd($1)
+ unconfined_sigchld($1)
+ ')
+
# this seems highly questionable:
optional_policy(`rpm.te',`
rpm_use_fd($1)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 51ba3d8..e92629f 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -785,6 +785,27 @@ interface(`files_list_home',`
########################################
##
+## Create home directories
+##
+##
+## The type of the process performing this action.
+##
+##
+## The type of the home directory
+##
+#
+interface(`files_create_home_dirs',`
+ gen_require(`
+ type home_root_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 home_root_t:dir rw_dir_perms;
+ type_transition $1 home_root_t:dir $2;
+')
+
+########################################
+##
## Create, read, write, and delete objects in
## lost+found directories.
##
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index c74aadb..86eb2f5 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -8,7 +8,7 @@
## Domain to make unconfined.
##
#
-template(`unconfined_access_template',`
+template(`unconfined_domain_template',`
# Use any Linux capability.
allow $1 self:capability *;
@@ -73,3 +73,87 @@ template(`unconfined_access_template',`
')
') dnl end TODO
')
+
+########################################
+##
+## Transition to the unconfined domain by executing a shell.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_domtrans_shell',`
+
+ gen_require(`
+ unconfined_t;
+ ')
+
+ corecmd_domtrans_shell($1,unconfined_t)
+')
+
+########################################
+##
+## Inherit file descriptors from the unconfined domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_use_fd',`
+ gen_require(`
+ type unconfined_t;
+ class fd use;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+##
+## Send a SIGCHLD signal to the unconfined domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ class process sigchld;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+##
+## Read and write unconfined domain unnamed pipes.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_rw_pipe',`
+ gen_require(`
+ type unconfined_t;
+ class fifo_file rw_file_perms;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+##
+## Add the unconfined domain to the specified role.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_role',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ role $1 types unconfined_t;
+')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 98106af..c112ae6 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -16,8 +16,23 @@ role system_r types unconfined_t;
# Local policy
#
-unconfined_access_template(unconfined_t)
+unconfined_domain_template(unconfined_t)
logging_send_syslog_msg(unconfined_t)
#role sysadm_r types unconfined_t;
#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
+
+ifdef(`targeted_policy',`
+ allow unconfined_t self:system syslog_read;
+
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
+ userdom_unconfined(unconfined_t)
+
+ ifdef(`TODO',`
+ #cjp: why is this needed?
+ ifdef(`samba.te', `samba_domain(user)')
+ ') dnl end TODO
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index ae52c22..5cf505e 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -902,11 +902,16 @@ interface(`userdom_spec_domtrans_unpriv_users',`
##
#
interface(`userdom_shell_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
+ ifdef(`targeted_policy',`
+ #cjp: need to doublecheck this one
+ unconfined_domtrans_shell($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ ')
- corecmd_domtrans_shell($1,sysadm_t)
+ corecmd_domtrans_shell($1,sysadm_t)
+ ')
')
########################################
@@ -939,14 +944,18 @@ interface(`userdom_read_staff_home_files',`
##
#
interface(`userdom_use_sysadm_tty',`
- gen_require(`
- type sysadm_tty_device_t;
- class chr_file rw_term_perms;
- ')
+ ifdef(`targeted_policy',`
+ term_use_unallocated_tty($1)
+ ',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ class chr_file rw_term_perms;
+ ')
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+ ')
')
########################################
@@ -958,14 +967,18 @@ interface(`userdom_use_sysadm_tty',`
##
#
interface(`userdom_use_sysadm_pty',`
- gen_require(`
- type sysadm_devpts_t;
- class chr_file rw_term_perms;
- ')
+ ifdef(`targeted_policy',`
+ term_use_generic_pty($1)
+ ',`
+ gen_require(`
+ type sysadm_devpts_t;
+ class chr_file rw_term_perms;
+ ')
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+ ')
')
########################################
@@ -977,14 +990,8 @@ interface(`userdom_use_sysadm_pty',`
##
#
interface(`userdom_use_sysadm_terms',`
- gen_require(`
- attribute admin_terminal;
- class chr_file rw_term_perms;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 admin_terminal:chr_file rw_term_perms;
+ userdom_use_sysadm_tty($1)
+ userdom_use_sysadm_pty($1)
')
########################################
@@ -996,12 +1003,16 @@ interface(`userdom_use_sysadm_terms',`
##
#
interface(`userdom_dontaudit_use_sysadm_terms',`
- gen_require(`
- attribute admin_terminal;
- class chr_file { read write };
- ')
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_pty($1)
+ ',`
+ gen_require(`
+ attribute admin_terminal;
+ class chr_file { read write };
+ ')
- dontaudit $1 admin_terminal:chr_file { read write };
+ dontaudit $1 admin_terminal:chr_file { read write };
+ ')
')
########################################
@@ -1013,12 +1024,17 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
##
#
interface(`userdom_use_sysadm_fd',`
- gen_require(`
- type sysadm_t;
- class fd use;
- ')
+ ifdef(`targeted_policy',`
+ #cjp: need to doublecheck this one
+ unconfined_use_fd($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ class fd use;
+ ')
- allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fd use;
+ ')
')
########################################
@@ -1030,12 +1046,17 @@ interface(`userdom_use_sysadm_fd',`
##
#
interface(`userdom_rw_sysadm_pipe',`
- gen_require(`
- type sysadm_t;
- class fd use;
- ')
+ ifdef(`targeted_policy',`
+ #cjp: need to doublecheck this one
+ unconfined_rw_pipe($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ ')
')
########################################
@@ -1217,3 +1238,21 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
+
+########################################
+##
+## Unconfined access to user domains.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_unconfined',`
+ gen_require(`
+ type user_home_dir_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 user_home_dir_t:dir create_dir_perms;
+ files_create_home_dirs($1,user_home_dir_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 116761e..a3174c5 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -32,16 +32,11 @@ attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
-admin_user_template(sysadm)
-unpriv_user_template(staff)
-unpriv_user_template(user)
-
########################################
#
# Local policy
#
-# user role change rules:
define(`role_change',`
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
@@ -50,102 +45,129 @@ define(`role_change',`
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
-# sysadm_r can change to user roles
-role_change(sysadm, user)
-role_change(sysadm, staff)
+ifdef(`targeted_policy',`
+ # User home directory type.
+ type user_home_t alias { staff_home_t sysadm_home_t}, home_type;
+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
-# only staff_r can change to sysadm_r
-role_change(staff, sysadm)
+ unconfined_role(user_r)
+ unconfined_role(sysadm_r)
-# this should be tunable_policy, but
-# currently type_change and RBAC allow
-# do not work in conditionals
-ifdef(`user_canbe_sysadm',`
- role_change(user,sysadm)
-')
+ # dont need to use the full role_change()
+ allow sysadm_r system_r;
+ allow user_r system_r;
+ allow user_r sysadm_r;
+ allow system_r sysadm_r;
+ allow system_r sysadm_r;
-ifdef(`TODO',`
-allow privhome home_root_t:dir { getattr search };
+ ifdef(`TODO',`
+ allow privhome home_root_t:dir { getattr search };
+ file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
+ ')
+',`
+ admin_user_template(sysadm)
+ unpriv_user_template(staff)
+ unpriv_user_template(user)
+
+ # user role change rules:
+ # sysadm_r can change to user roles
+ role_change(sysadm, user)
+ role_change(sysadm, staff)
+
+ # only staff_r can change to sysadm_r
+ role_change(staff, sysadm)
+
+ # this should be tunable_policy, but
+ # currently type_change and RBAC allow
+ # do not work in conditionals
+ ifdef(`user_canbe_sysadm',`
+ role_change(user,sysadm)
+ ')
-# Add/remove user home directories
-file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
-')
+ ifdef(`TODO',`
+ allow privhome home_root_t:dir { getattr search };
+ ')
-########################################
-#
-# Sysadm local policy
-#
+ ########################################
+ #
+ # Sysadm local policy
+ #
-# for su
-allow sysadm_t userdomain:fd use;
+ # for su
+ allow sysadm_t userdomain:fd use;
-optional_policy(`bootloader.te',`
- bootloader_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ # Add/remove user home directories
+ allow sysadm_t user_home_dir_t:dir create_dir_perms;
+ files_create_home_dirs(sysadm_t,user_home_dir_t)
-optional_policy(`clock.te',`
- clock_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`bootloader.te',`
+ bootloader_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`fstools.te',`
- fstools_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`clock.te',`
+ clock_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`hostname.te',`
- hostname_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`fstools.te',`
+ fstools_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`iptables.te',`
- iptables_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`hostname.te',`
+ hostname_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`libraries.te',`
- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`iptables.te',`
+ iptables_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`lvm.te',`
- lvm_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`libraries.te',`
+ libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`modutils.te',`
- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`lvm.te',`
+ lvm_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`logrotate.te',`
- logrotate_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`modutils.te',`
+ modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`mount.te',`
- mount_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`logrotate.te',`
+ logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`netutils.te',`
- netutils_run(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`mount.te',`
+ mount_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`rpm.te',`
- rpm_run(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`netutils.te',`
+ netutils_run(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`selinux.te',`
- seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
- optional_policy(`targeted_policy',`',`
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+ optional_policy(`rpm.te',`
+ rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
-')
-optional_policy(`sysnetwork.te',`
- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
-')
+ optional_policy(`selinux.te',`
+ seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+ optional_policy(`targeted_policy',`',`
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
+
+ optional_policy(`sysnetwork.te',`
+ sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
+ ')
-optional_policy(`usermanage.te',`
- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+ optional_policy(`usermanage.te',`
+ usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+ ')
')
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 3e45e02..76f8f53 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -24,7 +24,11 @@ gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
+ifdef(`targeted_policy',`
+gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+',`
gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
+')
#
# The following users correspond to Unix identities.
@@ -33,4 +37,8 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
+ifdef(`targeted_policy',`
+gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+',`
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+')