Add role attributes to usermanage.

2011-08-12 10:39:01 -04:00 · 2011-08-12 10:39:01 -04:00 · af1f9606c3
parent 26761b31cd
commit af1f9606c3
2 changed files with 35 additions and 38 deletions
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@ -41,11 +41,11 @@ interface(`usermanage_domtrans_chfn',`
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
-		type chfn_t;
+		attribute_role chfn_roles;
 	')

 	usermanage_domtrans_chfn($1)
-	role $2 types chfn_t;
+	roleattribute $2 chfn_roles;
 ')

 ########################################
@ -90,15 +90,11 @@ interface(`usermanage_domtrans_groupadd',`
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
-		type groupadd_t;
+		attribute_role groupadd_roles;
 	')

 	usermanage_domtrans_groupadd($1)
-	role $2 types groupadd_t;
-
-	optional_policy(`
-		nscd_run(groupadd_t, $2)
-	')
+	roleattribute $2 groupadd_roles;
 ')

 ########################################
@ -160,12 +156,11 @@ interface(`usermanage_kill_passwd',`
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
-		type passwd_t;
+		attribute_role passwd_roles;
 	')

 	usermanage_domtrans_passwd($1)
-	role $2 types passwd_t;
-	auth_run_chk_passwd(passwd_t, $2)
+	roleattribute $2 passwd_roles;
 ')

 ########################################
@ -208,15 +203,11 @@ interface(`usermanage_domtrans_admin_passwd',`
 #
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
-		type sysadm_passwd_t;
+		attribute_role sysadm_passwd_roles;
 	')

 	usermanage_domtrans_admin_passwd($1)
-	role $2 types sysadm_passwd_t;
-
-	optional_policy(`
-		nscd_run(sysadm_passwd_t, $2)
-	')
+	roleattribute $2 sysadm_passwd_roles;
 ')

 ########################################
@ -279,17 +270,11 @@ interface(`usermanage_domtrans_useradd',`
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
-		type useradd_t;
+		attribute_role useradd_roles;
 	')

 	usermanage_domtrans_useradd($1)
-	role $2 types useradd_t;
-
-	seutil_run_semanage(useradd_t, $2)
-
-	optional_policy(`
-		nscd_run(useradd_t, $2)
-	')
+	roleattribute $2 useradd_roles;
 ')

 ########################################
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@ -5,6 +5,19 @@ policy_module(usermanage, 1.16.0)
 # Declarations
 #

+attribute_role chfn_roles;
+role system_r types chfn_t;
+
+attribute_role groupadd_roles;
+
+attribute_role passwd_roles;
+roleattribute system_r passwd_roles;
+
+attribute_role sysadm_passwd_roles;
+roleattribute system_r sysadm_passwd_roles;
+
+attribute_role useradd_roles;
+
 type admin_passwd_exec_t;
 files_type(admin_passwd_exec_t)

@ -12,7 +25,6 @@ type chfn_t;
 type chfn_exec_t;
 domain_obj_id_change_exemption(chfn_t)
 application_domain(chfn_t, chfn_exec_t)
-role system_r types chfn_t;

 type crack_t;
 type crack_exec_t;
@ -34,12 +46,12 @@ type passwd_t;
 type passwd_exec_t;
 domain_obj_id_change_exemption(passwd_t)
 application_domain(passwd_t, passwd_exec_t)
-role system_r types passwd_t;
+role passwd_roles types passwd_t;

 type sysadm_passwd_t;
 domain_obj_id_change_exemption(sysadm_passwd_t)
 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
-role system_r types sysadm_passwd_t;
+role sysadm_passwd_roles types sysadm_passwd_t;

 type sysadm_passwd_tmp_t;
 files_tmp_file(sysadm_passwd_tmp_t)
@ -88,7 +100,7 @@ fs_search_auto_mountpoints(chfn_t)
 # for SSP
 dev_read_urand(chfn_t)

-auth_domtrans_chk_passwd(chfn_t)
+auth_run_chk_passwd(chfn_t, chfn_roles)
 auth_dontaudit_read_shadow(chfn_t)
 auth_use_nsswitch(chfn_t)

@ -216,7 +228,7 @@ logging_send_syslog_msg(groupadd_t)

 miscfiles_read_localization(groupadd_t)

-auth_domtrans_chk_passwd(groupadd_t)
+auth_run_chk_passwd(groupadd_t, groupadd_roles)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
 # these may be unnecessary due to the above
@ -237,7 +249,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_domtrans(groupadd_t)
+	nscd_run(groupadd_t, groupadd_roles)
 ')

 optional_policy(`
@ -294,7 +306,7 @@ selinux_compute_user_contexts(passwd_t)
 term_use_all_ttys(passwd_t)
 term_use_all_ptys(passwd_t)

-auth_domtrans_chk_passwd(passwd_t)
+auth_run_chk_passwd(passwd_t, passwd_roles)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
@ -334,7 +346,7 @@ userdom_read_user_tmp_files(passwd_t)
 userdom_dontaudit_search_user_home_content(passwd_t)

 optional_policy(`
-	nscd_domtrans(passwd_t)
+	nscd_run(passwd_t, passwd_roles)
 ')

 ########################################
@ -418,7 +430,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)

 optional_policy(`
-	nscd_domtrans(sysadm_passwd_t)
+	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
 ')

 ########################################
@ -472,7 +484,7 @@ selinux_compute_user_contexts(useradd_t)
 term_use_all_ttys(useradd_t)
 term_use_all_ptys(useradd_t)

-auth_domtrans_chk_passwd(useradd_t)
+auth_run_chk_passwd(useradd_t, useradd_roles)
 auth_rw_lastlog(useradd_t)
 auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
@ -493,8 +505,8 @@ miscfiles_read_localization(useradd_t)
 seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 seutil_read_default_contexts(useradd_t)
-seutil_domtrans_semanage(useradd_t)
-seutil_domtrans_setfiles(useradd_t)
+seutil_run_semanage(useradd_t, useradd_roles)
+seutil_run_setfiles(useradd_t, useradd_roles)

 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
@ -525,7 +537,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_domtrans(useradd_t)
+	nscd_run(useradd_t, useradd_roles)
 ')

 optional_policy(`