sudo, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/admin/sudo.if

@@ -17,14 +17,19 @@
 ##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_role">
-##	<summary>
-##	The user role.
-##	</summary>
-## </param>
 ## <param name="user_domain">
 ##	<summary>
-##	The user domain associated with the role.
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
 ##	</summary>
 ## </param>
 #
@@ -44,7 +49,7 @@ template(`sudo_role_template',`
 	userdom_user_application_domain($1_sudo_t, sudo_exec_t)
 	domain_interactive_fd($1_sudo_t)
 	domain_role_change_exemption($1_sudo_t)
-	role $2 types $1_sudo_t;
+	role $4 types $1_sudo_t;
 
 	##############################
 	#
@@ -77,8 +82,8 @@ template(`sudo_role_template',`
 	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_sudo_t, $3)
-	corecmd_bin_domtrans($1_sudo_t, $3)
+	corecmd_shell_domtrans($1_sudo_t, $2)
+	corecmd_bin_domtrans($1_sudo_t, $2)
 	allow $3 $1_sudo_t:fd use;
 	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
 	allow $3 $1_sudo_t:process signal_perms;
@@ -118,7 +123,7 @@ template(`sudo_role_template',`
 	term_relabel_all_ttys($1_sudo_t)
 	term_relabel_all_ptys($1_sudo_t)
 
-	auth_run_chk_passwd($1_sudo_t, $2)
+	auth_run_chk_passwd($1_sudo_t, $4)
 	# sudo stores a token in the pam runtime directory
 	auth_manage_pam_runtime_dirs($1_sudo_t)
 	auth_manage_pam_runtime_files($1_sudo_t)

policy/modules/roles/auditadm.te

@@ -52,7 +52,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sudo_role_template(auditadm, auditadm_r, auditadm_t)
+	sudo_role_template(auditadm, auditadm_t, auditadm_application_exec_domain, auditadm_r)
 ')
 
 optional_policy(`

policy/modules/roles/secadm.te

@@ -65,7 +65,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sudo_role_template(secadm, secadm_r, secadm_t)
+	sudo_role_template(secadm, secadm_t, secadm_application_exec_domain, secadm_r)
 ')
 
 optional_policy(`

policy/modules/roles/staff.te

@@ -49,7 +49,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sudo_role_template(staff, staff_r, staff_t)
+	sudo_role_template(staff, staff_t, staff_application_exec_domain, staff_r)
 ')
 
 optional_policy(`

policy/modules/roles/sysadm.te

@@ -1012,7 +1012,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sudo_role_template(sysadm, sysadm_r, sysadm_t)
+	sudo_role_template(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
 optional_policy(`

policy/modules/roles/unprivuser.te

@@ -155,7 +155,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		sudo_role_template(user, user_r, user_t)
+		sudo_role_template(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`