From 08cf443ff6fcf300e3169a9c4625d9b5cb25ac49 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 12 Aug 2011 08:12:20 -0400
Subject: [PATCH] Add role attributes in newrole and run_init.

---
 policy/modules/system/selinuxutil.if | 22 ++++++----------------
 policy/modules/system/selinuxutil.te | 16 +++++++++++-----
 2 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 268921383..588557146 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,13 +192,11 @@ interface(`seutil_domtrans_newrole',`
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
-		type newrole_t;
+		attribute_role newrole_roles;
 	')
 
 	seutil_domtrans_newrole($1)
-	role $2 types newrole_t;
-
-	auth_run_upd_passwd(newrole_t, $2)
+	roleattribute $2 newrole_roles;
 ')
 
 ########################################
@@ -427,15 +425,11 @@ interface(`seutil_init_script_domtrans_runinit',`
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
-		type run_init_t;
-		role system_r;
+		attribute_role run_init_roles;
 	')
 
-	auth_run_chk_passwd(run_init_t, $2)
 	seutil_domtrans_runinit($1)
-	role $2 types run_init_t;
-
-	allow $2 system_r;
+	roleattribute $2 run_init_roles;
 ')
 
 ########################################
@@ -467,15 +461,11 @@ interface(`seutil_run_runinit',`
 #
 interface(`seutil_init_script_run_runinit',`
 	gen_require(`
-		type run_init_t;
-		role system_r;
+		attribute_role run_init_roles;
 	')
 
-	auth_run_chk_passwd(run_init_t, $2)
 	seutil_init_script_domtrans_runinit($1)
-	role $2 types run_init_t;
-
-	allow $2 system_r;
+	roleattribute $2 run_init_roles;
 ')
 
 ########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ef1df9ce7..f154204f1 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -12,6 +12,11 @@ gen_require(`
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;
 
+attribute_role newrole_roles;
+
+attribute_role run_init_roles;
+role system_r types run_init_t;
+
 attribute_role semanage_roles;
 roleattribute system_r semanage_roles;
 
@@ -86,7 +91,6 @@ type run_init_t;
 type run_init_exec_t;
 application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
-role system_r types run_init_t;
 
 type semanage_t;
 type semanage_exec_t;
@@ -271,8 +275,8 @@ term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
 
 auth_use_nsswitch(newrole_t)
-auth_domtrans_chk_passwd(newrole_t)
-auth_domtrans_upd_passwd(newrole_t)
+auth_run_chk_passwd(newrole_t, newrole_roles)
+auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)
 
 # Write to utmp.
@@ -360,6 +364,8 @@ optional_policy(`
 # Run_init local policy
 #
 
+allow run_init_roles system_r;
+
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
@@ -391,8 +397,8 @@ selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
 auth_use_nsswitch(run_init_t)
-auth_domtrans_chk_passwd(run_init_t)
-auth_domtrans_upd_passwd(run_init_t)
+auth_run_chk_passwd(run_init_t, run_init_roles)
+auth_run_upd_passwd(run_init_t, run_init_roles)
 auth_dontaudit_read_shadow(run_init_t)
 
 init_spec_domtrans_script(run_init_t)