diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 5e9772258..b7fd8de10 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -206,18 +206,25 @@ template(`su_per_userdomain_template',` userdom_use_user_terminals($1,$1_su_t) userdom_search_user_home($1,$1_su_t) - if(secure_mode) { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } - ifdef(`targeted_policy',` corecmd_exec_bin($1_su_t) userdom_manage_all_user_files($1_su_t) userdom_manage_all_user_symlinks($1_su_t) + + # newrole does not make any sense in + # the targeted policy. This is to + # make sediff easier. + if(!secure_mode) { + unconfined_domtrans($1_su_t) + } + ',` + if(secure_mode) { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } ') tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d537e40eb..69a835414 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -660,7 +660,7 @@ interface(`fs_execute_cifs_files',` ## The type of the domain to not audit. ## # -interface(`fs_read_cifs_files',` +interface(`fs_dontaudit_read_cifs_files',` gen_require(` type cifs_t; class file { read write }; diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 315343cc0..95770691b 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -184,6 +184,8 @@ optional_policy(`inetd.te',` # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) #') + inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) + optional_policy(`tcpd.te',` tunable_policy(`! ftpd_is_daemon',` tcpd_domtrans(tcpd_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index bce4e26df..982dded7d 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -263,13 +263,22 @@ userdom_use_unpriv_users_fd(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home(newrole_t) -# if secure mode is enabled, then newrole -# can only transition to unprivileged users -if(secure_mode) { - userdom_spec_domtrans_unpriv_users(newrole_t) -} else { - userdom_spec_domtrans_all_users(newrole_t) -} +ifdef(`targeted_policy',` + # newrole does not make any sense in + # the targeted policy. This is to + # make sediff easier. + if(!secure_mode) { + unconfined_domtrans(newrole_t) + } +',` + # if secure mode is enabled, then newrole + # can only transition to unprivileged users + if(secure_mode) { + userdom_spec_domtrans_unpriv_users(newrole_t) + } else { + userdom_spec_domtrans_all_users(newrole_t) + } +') optional_policy(`nis.te',` nis_use_ypbind(newrole_t)