From c87e150280bde84f677f96a57f292cb869f2cfa3 Mon Sep 17 00:00:00 2001
From: Jeremy Solt <jsolt@tresys.com>
Date: Wed, 21 Jul 2010 10:39:57 -0400
Subject: [PATCH] roles patch from Dan Walsh to move unwanted interface calls
 into a ifndef

---
 policy/modules/roles/staff.te      | 243 +++++++++++++--------------
 policy/modules/roles/sysadm.te     |  99 +++++------
 policy/modules/roles/unprivuser.te | 260 +++++++++++++++--------------
 3 files changed, 304 insertions(+), 298 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 30754e49a..a589c5527 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -18,119 +18,22 @@ optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
 
-optional_policy(`
-	auth_role(staff_r, staff_t)
-')
-
 optional_policy(`
 	auditadm_role_change(staff_r)
 ')
 
-optional_policy(`
-	bluetooth_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	cdrecord_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	cron_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	dbus_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
-	evolution_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	games_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	gift_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	gnome_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	gpg_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	irc_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	java_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	lockdev_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	lpd_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	mozilla_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	mplayer_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	mta_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	oident_manage_user_content(staff_t)
-	oident_relabel_user_content(staff_t)
-')
-
 optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
-optional_policy(`
-	pyzor_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	razor_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	rssh_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	screen_role_template(staff, staff_r, staff_t)
-')
-
 optional_policy(`
 	secadm_role_change(staff_r)
 ')
 
-optional_policy(`
-	spamassassin_role(staff_r, staff_t)
-')
-
 optional_policy(`
 	ssh_role_template(staff, staff_r, staff_t)
 ')
 
-optional_policy(`
-	su_role_template(staff, staff_r, staff_t)
-')
-
 optional_policy(`
 	sudo_role_template(staff, staff_r, staff_t)
 ')
@@ -140,30 +43,128 @@ optional_policy(`
 	userdom_dontaudit_use_user_terminals(staff_t)
 ')
 
-optional_policy(`
-	thunderbird_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	tvtime_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	uml_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	userhelper_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
-	vmware_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	wireshark_role(staff_r, staff_t)
-')
-
 optional_policy(`
 	xserver_role(staff_r, staff_t)
 ')
+
+ifndef(`distro_redhat',`
+	optional_policy(`
+		auth_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		bluetooth_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		cdrecord_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		cron_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		dbus_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		evolution_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		games_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gift_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gnome_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gpg_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		irc_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		java_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		lockdev_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		lpd_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mozilla_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mplayer_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mta_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		oident_manage_user_content(staff_t)
+		oident_relabel_user_content(staff_t)
+	')
+	optional_policy(`
+		pyzor_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		razor_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		rssh_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		screen_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		spamassassin_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		su_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		thunderbird_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		tvtime_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		uml_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		userhelper_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		vmware_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		wireshark_role(staff_r, staff_t)
+	')
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 794e06fb9..2a19751f2 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -85,10 +85,6 @@ optional_policy(`
 	auditadm_role_change(sysadm_r)
 ')
 
-optional_policy(`
-	auth_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	backup_run(sysadm_t, sysadm_r)
 ')
@@ -97,18 +93,10 @@ optional_policy(`
 	bind_run_ndc(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	bluetooth_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	bootloader_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	cdrecord_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	certwatch_run(sysadm_t, sysadm_r)
 ')
@@ -125,18 +113,10 @@ optional_policy(`
 	consoletype_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	cron_admin_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	cvs_exec(sysadm_t)
 ')
 
-optional_policy(`
-	dbus_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	dcc_run_cdcc(sysadm_t, sysadm_r)
 	dcc_run_client(sysadm_t, sysadm_r)
@@ -159,10 +139,6 @@ optional_policy(`
 	dpkg_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	evolution_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	firstboot_run(sysadm_t, sysadm_r)
 ')
@@ -171,22 +147,6 @@ optional_policy(`
 	fstools_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	games_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-	gift_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-	gnome_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-	gpg_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	hostname_run(sysadm_t, sysadm_r)
 ')
@@ -205,14 +165,6 @@ optional_policy(`
 	iptables_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	irc_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-	java_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	kudzu_run(sysadm_t, sysadm_r)
 ')
@@ -444,3 +396,54 @@ optional_policy(`
 optional_policy(`
 	yam_run(sysadm_t, sysadm_r)
 ')
+
+ifndef(`distro_redhat',`
+	optional_policy(`
+		auth_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		bluetooth_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		cdrecord_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		cron_admin_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		dbus_role_template(sysadm, sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		evolution_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		games_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gift_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gnome_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gpg_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		irc_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		java_role(sysadm_r, sysadm_t)
+	')
+')
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index d5d504221..e8a507d9f 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -16,139 +16,141 @@ optional_policy(`
 	apache_role(user_r, user_t)
 ')
 
-optional_policy(`
-	auth_role(user_r, user_t)
-')
-
-optional_policy(`
-	bluetooth_role(user_r, user_t)
-')
-
-optional_policy(`
-	cdrecord_role(user_r, user_t)
-')
-
-optional_policy(`
-	cron_role(user_r, user_t)
-')
-
-optional_policy(`
-	dbus_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
-	evolution_role(user_r, user_t)
-')
-
-optional_policy(`
-	games_role(user_r, user_t)
-')
-
-optional_policy(`
-	gift_role(user_r, user_t)
-')
-
-optional_policy(`
-	gnome_role(user_r, user_t)
-')
-
-optional_policy(`
-	gpg_role(user_r, user_t)
-')
-
-optional_policy(`
-	irc_role(user_r, user_t)
-')
-
-optional_policy(`
-	java_role(user_r, user_t)
-')
-
-optional_policy(`
-	lockdev_role(user_r, user_t)
-')
-
-optional_policy(`
-	lpd_role(user_r, user_t)
-')
-
-optional_policy(`
-	mozilla_role(user_r, user_t)
-')
-
-optional_policy(`
-	mplayer_role(user_r, user_t)
-')
-
-optional_policy(`
-	mta_role(user_r, user_t)
-')
-
-optional_policy(`
-	oident_manage_user_content(user_t)
-	oident_relabel_user_content(user_t)
-')
-
-optional_policy(`
-	postgresql_role(user_r, user_t)
-')
-
-optional_policy(`
-	pyzor_role(user_r, user_t)
-')
-
-optional_policy(`
-	razor_role(user_r, user_t)
-')
-
-optional_policy(`
-	rssh_role(user_r, user_t)
-')
-
 optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
-optional_policy(`
-	spamassassin_role(user_r, user_t)
-')
-
-optional_policy(`
-	ssh_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
-	su_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
-	sudo_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
-	thunderbird_role(user_r, user_t)
-')
-
-optional_policy(`
-	tvtime_role(user_r, user_t)
-')
-
-optional_policy(`
-	uml_role(user_r, user_t)
-')
-
-optional_policy(`
-	userhelper_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
-	vmware_role(user_r, user_t)
-')
-
-optional_policy(`
-	wireshark_role(user_r, user_t)
-')
-
 optional_policy(`
 	xserver_role(user_r, user_t)
 ')
+
+ifndef(`distro_redhat',`
+	optional_policy(`
+		auth_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		bluetooth_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		cdrecord_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		cron_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		dbus_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		evolution_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		games_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gift_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gnome_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gpg_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		irc_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		java_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		lockdev_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		lpd_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mozilla_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mplayer_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mta_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		oident_manage_user_content(user_t)
+		oident_relabel_user_content(user_t)
+	')
+
+	optional_policy(`
+		postgresql_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		pyzor_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		razor_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		rssh_role(user_r, user_t)
+	')
+
+	optional_policy(`
+	spamassassin_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		ssh_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		su_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		sudo_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		thunderbird_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		tvtime_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		uml_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		userhelper_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		vmware_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		wireshark_role(user_r, user_t)
+	')
+')