work on newrole policy

refpolicy/policy/global_tunables

@@ -40,6 +40,13 @@ gen_tunable(fcron_crond,false)
 ## </tunable>
 gen_tunable(read_default_t,false)
 
+## <tunable name="secure_mode" dftval="false">
+##	Enabling secure mode disallows programs, such as
+##	newrole, from transitioning to administrative
+##	user domains.
+## </tunable>
+gen_bool(secure_mode,false)
+
 ## <tunable name="staff_read_sysadm_file" dftval="false">
 ##	Allow staff_r users to search the sysadm home 
 ##	dir and read files (such as ~/.bashrc)

refpolicy/policy/modules/kernel/terminal.if

@@ -402,6 +402,27 @@ define(`term_dontaudit_use_all_user_ptys',`
 	dontaudit $1 ptynode:chr_file { read write };
 ')
 
+########################################
+## <interface name="term_relabel_all_user_ptys">
+##	<description>
+##		Relabel from and to all user
+##		user pty device nodes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+## </interface>
+#
+define(`term_relabel_all_user_ptys',`
+	gen_require(`
+		attribute ptynode;
+		class chr_file { relabelfrom relabelto };
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ptynode:chr_file { relabelfrom relabelto };
+')
+
 ########################################
 ## <interface name="term_getattr_unallocated_ttys">
 ##	<description>

refpolicy/policy/modules/system/selinuxutil.te

@@ -128,11 +128,6 @@ libs_use_shared_libs(checkpolicy_t)
 
 userdom_use_all_user_fd(checkpolicy_t)
 
-ifdef(`TODO',`
-# Read the devpts root directory.  
-ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-') dnl endif TODO
-
 ########################################
 #
 # Load_policy local policy
@@ -210,6 +205,8 @@ selinux_compute_user_contexts(newrole_t)
 
 term_use_all_user_ttys(newrole_t)
 term_use_all_user_ptys(newrole_t)
+term_relabel_all_user_ttys(newrole_t)
+term_relabel_all_user_ptys(newrole_t)
 
 auth_domtrans_chk_passwd(newrole_t)
 
@@ -229,6 +226,14 @@ miscfiles_read_localization(newrole_t)
 
 userdom_use_unpriv_users_fd(newrole_t)
 
+# if secure mode is enabled, then newrole
+# can only transition to unprivileged users
+if(secure_mode) {
+	userdom_spec_domtrans_unpriv_users(newrole_t)
+} else {
+	userdom_spec_domtrans_all_users(newrole_t)
+}
+
 ifdef(`TODO',`
 
 can_ypbind(newrole)
@@ -239,29 +244,10 @@ allow newrole_t autofs_t:dir { search getattr };
 # for when the user types "exec newrole" at the command line
 allow newrole_t privfd:process sigchld;
  
-# Execute /sbin/pwdb_chkpwd to check the password.
-allow newrole_t sbin_t:dir r_dir_perms;
-
-# Execute shells
-allow newrole_t bin_t:dir r_dir_perms;
-allow newrole_t bin_t:lnk_file read;
-
-# Allow newrole_t to transition to user domains.
-bool secure_mode false;
-domain_trans(newrole_t, shell_exec_t, unpriv_userdomain)
-if(!secure_mode)
-{
-	# if we are not in secure mode then we can transition to sysadm_t
-	domain_trans(newrole_t, shell_exec_t, sysadm_t)
-}
-
 # Read /var.
 allow newrole_t var_t:dir r_dir_perms;
 allow newrole_t var_t:notdevfile_class_set r_file_perms;
 
-# Relabel terminals.
-allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 
 # for some PAM modules and for cwd
@@ -308,10 +294,6 @@ logging_send_syslog_msg(restorecon_t)
 
 userdom_use_all_user_fd(restorecon_t)
 
-optional_policy(`hotplug.te',`
-	hotplug_use_fd(restorecon_t)
-')
-
 # relabeling rules
 kernel_relabel_unlabeled(restorecon_t)
 dev_relabel_all_dev_nodes(restorecon_t)
@@ -328,6 +310,10 @@ ifdef(`distro_redhat', `
 	fs_relabel_tmpfs_character_devices(restorecon_t)
 ')
 
+optional_policy(`hotplug.te',`
+	hotplug_use_fd(restorecon_t)
+')
+
 ifdef(`TODO',`
 
 # for upgrading glibc and other shared objects - without this the upgrade
@@ -395,13 +381,15 @@ ifdef(`targeted_policy',`',`
 	logging_send_syslog_msg(run_init_t)
 ') dnl end ifdef targeted policy
 
+
 ifdef(`TODO',`
 
 ifdef(`distro_gentoo', `
 	# Gentoo integrated run_init+open_init_pty-runscript:
-	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 	domain_entry_file(run_init_t,initrc_exec_t)
+	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 ')
+
 ') dnl end TODO
 
 ########################################

refpolicy/policy/modules/system/userdomain.if

@@ -821,12 +821,31 @@ define(`admin_domain_template',`
 ## </interface>
 #
 define(`userdom_spec_domtrans_all_users',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute userdomain;
+	')
+
 	corecmd_shell_spec_domtrans($1,userdomain)
 ')
 
-define(`userdom_spec_domtrans_all_users_depend',`
-	type sysadm_t;
+########################################
+## <interface name="userdom_spec_domtrans_unpriv_users">
+##	<description>
+##		Execute a shell in all unprivileged user domains.  This
+##		is an explicit transition, requiring the
+##		caller to use setexeccon().
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+## </interface>
+#
+define(`userdom_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	corecmd_shell_spec_domtrans($1,unpriv_userdomain)
 ')
 
 ########################################

refpolicy/policy/support/misc_macros.spt

@@ -19,6 +19,10 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
 #
 define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
 
+########################################
+#
+# can_exec(domain,executable)
+#
 define(`can_exec',`
 	gen_require(`
 		class file { rx_file_perms execute_no_trans };
@@ -26,3 +30,11 @@ define(`can_exec',`
 
 	allow $1 $2:file { rx_file_perms execute_no_trans };
 ')
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+	bool $1 dflt_or_overr(`$1'_conf,$2);
+')