Add role attributes in newrole and run_init.

2011-08-12 08:12:20 -04:00 · 2011-08-12 08:12:20 -04:00 · 08cf443ff6
commit 08cf443ff6
parent e6453fa567
2 changed files with 17 additions and 21 deletions
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@ -192,13 +192,11 @@ interface(`seutil_domtrans_newrole',`
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
-		type newrole_t;
+		attribute_role newrole_roles;
 	')

 	seutil_domtrans_newrole($1)
-	role $2 types newrole_t;
-
-	auth_run_upd_passwd(newrole_t, $2)
+	roleattribute $2 newrole_roles;
 ')

 ########################################
@ -427,15 +425,11 @@ interface(`seutil_init_script_domtrans_runinit',`
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
-		type run_init_t;
-		role system_r;
+		attribute_role run_init_roles;
 	')

-	auth_run_chk_passwd(run_init_t, $2)
 	seutil_domtrans_runinit($1)
-	role $2 types run_init_t;
-
-	allow $2 system_r;
+	roleattribute $2 run_init_roles;
 ')

 ########################################
@ -467,15 +461,11 @@ interface(`seutil_run_runinit',`
 #
 interface(`seutil_init_script_run_runinit',`
 	gen_require(`
-		type run_init_t;
-		role system_r;
+		attribute_role run_init_roles;
 	')

-	auth_run_chk_passwd(run_init_t, $2)
 	seutil_init_script_domtrans_runinit($1)
-	role $2 types run_init_t;
-
-	allow $2 system_r;
+	roleattribute $2 run_init_roles;
 ')

 ########################################
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -12,6 +12,11 @@ gen_require(`
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;

+attribute_role newrole_roles;
+
+attribute_role run_init_roles;
+role system_r types run_init_t;
+
 attribute_role semanage_roles;
 roleattribute system_r semanage_roles;

@ -86,7 +91,6 @@ type run_init_t;
 type run_init_exec_t;
 application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
-role system_r types run_init_t;

 type semanage_t;
 type semanage_exec_t;
@ -271,8 +275,8 @@ term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)

 auth_use_nsswitch(newrole_t)
-auth_domtrans_chk_passwd(newrole_t)
-auth_domtrans_upd_passwd(newrole_t)
+auth_run_chk_passwd(newrole_t, newrole_roles)
+auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)

 # Write to utmp.
@ -360,6 +364,8 @@ optional_policy(`
 # Run_init local policy
 #

+allow run_init_roles system_r;
+
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
@ -391,8 +397,8 @@ selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)

 auth_use_nsswitch(run_init_t)
-auth_domtrans_chk_passwd(run_init_t)
-auth_domtrans_upd_passwd(run_init_t)
+auth_run_chk_passwd(run_init_t, run_init_roles)
+auth_run_upd_passwd(run_init_t, run_init_roles)
 auth_dontaudit_read_shadow(run_init_t)

 init_spec_domtrans_script(run_init_t)