remove newrole privs from su and sudo

refpolicy/Changelog

@@ -1,3 +1,5 @@
+- Remove role change rules in su and sudo since this functionality has been
+  removed from these programs.
 - Add ctags Make target from Thomas Bleher.
 - Collapse commands with grep piped to sed into one sed command.
 - Fix type_change bug in term_user_pty().

refpolicy/policy/modules/admin/su.if

@@ -8,9 +8,6 @@ template(`su_restricted_domain_template', `
 	type $1_su_t;
 	domain_entry_file($1_su_t,su_exec_t)
 	domain_type($1_su_t)
-	domain_role_change_exempt($1_su_t)
-	domain_subj_id_change_exempt($1_su_t)
-	domain_obj_id_change_exempt($1_su_t)
 	domain_wide_inherit_fd($1_su_t)
 	role $3 types $1_su_t;
 
@@ -48,13 +45,6 @@ template(`su_restricted_domain_template', `
 	files_search_var_lib($1_su_t)
 	files_dontaudit_getattr_tmp_dir($1_su_t)
 
-	selinux_get_fs_mount($1_su_t)
-	selinux_validate_context($1_su_t)
-	selinux_compute_access_vector($1_su_t)
-	selinux_compute_create_context($1_su_t)
-	selinux_compute_relabel_context($1_su_t)
-	selinux_compute_user_contexts($1_su_t)
-
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
@@ -73,12 +63,6 @@ template(`su_restricted_domain_template', `
 
 	miscfiles_read_localization($1_su_t)
 
-	seutil_read_config($1_su_t)
-	seutil_read_default_contexts($1_su_t)
-
-	# Only allow transitions to unprivileged user domains.
-	userdom_spec_domtrans_unpriv_users($1_su_t)
-
 	optional_policy(`cron',`
 		cron_read_pipe($1_su_t)
 	')
@@ -133,9 +117,6 @@ template(`su_per_userdomain_template',`
 	type $1_su_t;
 	domain_entry_file($1_su_t,su_exec_t)
 	domain_type($1_su_t)
-	domain_role_change_exempt($1_su_t)
-	domain_subj_id_change_exempt($1_su_t)
-	domain_obj_id_change_exempt($1_su_t)
 	domain_wide_inherit_fd($1_su_t)
 	role $3 types $1_su_t;
 
@@ -169,20 +150,6 @@ template(`su_per_userdomain_template',`
 
 	fs_search_auto_mountpoints($1_su_t)
 
-	selinux_get_fs_mount($1_su_t)
-	selinux_validate_context($1_su_t)
-	selinux_compute_access_vector($1_su_t)
-	selinux_compute_create_context($1_su_t)
-	selinux_compute_relabel_context($1_su_t)
-	selinux_compute_user_contexts($1_su_t)
-
-	# Relabel ttys and ptys.
-	term_relabel_all_user_ttys($1_su_t)
-	term_relabel_all_user_ptys($1_su_t)
-	# Close and re-open ttys and ptys to get the fd into the correct domain.
-	term_use_all_user_ttys($1_su_t)
-	term_use_all_user_ptys($1_su_t)
-
 	auth_domtrans_user_chk_passwd($1,$1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
@@ -208,27 +175,11 @@ template(`su_per_userdomain_template',`
 
 	miscfiles_read_localization($1_su_t)
 
-	seutil_read_config($1_su_t)
-	seutil_read_default_contexts($1_su_t)
-
 	userdom_use_user_terminals($1,$1_su_t)
 	userdom_search_user_home($1,$1_su_t)
 
 	ifdef(`enable_polyinstantiation',`
-		mls_file_read_up($1_su_t)
-		mls_file_write_down($1_su_t)
-		mls_file_upgrade($1_su_t)
-		mls_file_downgrade($1_su_t)
-		mls_process_set_level($1_su_t)
-
-		# Su can polyinstantiate
-		files_polyinstantiate_all($1_su_t)
-
-		# Su needs additional permission to mount over a previous mount
-		files_mounton_all_poly_members($1_su_t)
-
-		# Su has to unmount polyinstantiated directories (like home)
-		# that should not be polyinstantiated under the new user
+		fs_mount_xattr_fs($1_su_t)
 		fs_unmount_xattr_fs($1_su_t)
 	')
 
@@ -243,22 +194,6 @@ template(`su_per_userdomain_template',`
 		corecmd_exec_bin($1_su_t)
 		userdom_manage_all_user_files($1_su_t)
 		userdom_manage_all_user_symlinks($1_su_t)
-
-		# newrole does not make any sense in
-		# the targeted policy.  This is to
-		# make sediff easier.
-		if(!secure_mode) {
-			unconfined_domtrans($1_su_t)
-			unconfined_signal($1_su_t)
-		}
-	',`
-		if(secure_mode) {
-			# Only allow transitions to unprivileged user domains.
-			userdom_spec_domtrans_unpriv_users($1_su_t)
-		} else {
-			# Allow transitions to all user domains
-			userdom_spec_domtrans_all_users($1_su_t)
-		}
 	')
 
 	tunable_policy(`use_nfs_home_dirs',`

refpolicy/policy/modules/admin/sudo.if

@@ -43,10 +43,6 @@ template(`sudo_per_userdomain_template',`
 	domain_type($1_sudo_t)
 	domain_entry_file($1_sudo_t,sudo_exec_t)
 	domain_wide_inherit_fd($1_sudo_t)
-	domain_subj_id_change_exempt($1_sudo_t)
-	domain_role_change_exempt($1_sudo_t)
-	domain_obj_id_change_exempt($1_sudo_t)
-
 	role $3 types $1_sudo_t;
 
 	##############################
@@ -92,18 +88,6 @@ template(`sudo_per_userdomain_template',`
 	fs_search_auto_mountpoints($1_sudo_t)
 	fs_getattr_xattr_fs($1_sudo_t)
 
-	selinux_get_fs_mount($1_sudo_t)
-	selinux_validate_context($1_sudo_t)
-	selinux_compute_access_vector($1_sudo_t)
-	selinux_compute_create_context($1_sudo_t)
-	selinux_compute_relabel_context($1_sudo_t)
-	selinux_compute_user_contexts($1_sudo_t)
-
-	term_use_all_user_ttys($1_sudo_t)
-	term_use_all_user_ptys($1_sudo_t)
-	term_relabel_all_user_ttys($1_sudo_t)
-	term_relabel_all_user_ptys($1_sudo_t)
-
 	auth_domtrans_chk_passwd($1_sudo_t)
 
 	corecmd_getattr_bin_file($1_sudo_t)
@@ -130,31 +114,15 @@ template(`sudo_per_userdomain_template',`
 
 	miscfiles_read_localization($1_sudo_t)
 
-	mls_file_read_up($1_sudo_t)
-	mls_file_write_down($1_sudo_t)
-	mls_file_upgrade($1_sudo_t)
-	mls_file_downgrade($1_sudo_t)
-	mls_process_set_level($1_sudo_t)
-
-	seutil_read_config($1_sudo_t)
-	seutil_read_default_contexts($1_sudo_t)
-
 	userdom_manage_user_home_subdir_files($1,$1_sudo_t)
 	userdom_manage_user_home_subdir_symlinks($1,$1_sudo_t)
 	userdom_manage_user_tmp_files($1,$1_sudo_t)
 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
+	userdom_use_user_terminals($1,$1_sudo_t)
 	userdom_use_unpriv_users_fd($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_all_users_home($1_sudo_t)
 
-	# if secure mode is enabled, then sudo
-	# can only transition to unprivileged users
-	if(secure_mode) {
-		userdom_spec_domtrans_unpriv_users($1_sudo_t)
-	} else {
-		userdom_spec_domtrans_all_users($1_sudo_t)
-	}
-
 	optional_policy(`nis',`
 		nis_use_ypbind($1_sudo_t)
 	')