From mboxrd@z Thu Jan 1 00:00:00 1970 From: qingtao.cao@windriver.com (Harry Ciao) Date: Fri, 16 Dec 2011 14:28:48 +0800 Subject: [refpolicy] [PATCH 1/1] Make role attributes able to type their "own" types. In-Reply-To: <1323933437-10078-1-git-send-email-qingtao.cao@windriver.com> References: <1323933437-10078-1-git-send-email-qingtao.cao@windriver.com> Message-ID: <4EEAE520.4030905@windriver.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com BTW, by using "seinfo --role=sysadm_r -x" command, we could get a full manifest of types that sysadm_r is able to type with. Below is the difference between without and with this fix. We sure want the sysadm_r able to type with newrole_t, useradd_t etc, don't we :-P Thanks, Harry cao at cao-laptop:~/tmp/setools-3.3.7$ diff -up /home/cao/tmp/sysadm_r_types.wrong /home/cao/tmp/sysadm_r_types.correct --- /home/cao/tmp/sysadm_r_types.wrong 2011-12-16 14:24:21.000000000 +0800 +++ /home/cao/tmp/sysadm_r_types.correct 2011-12-16 14:23:32.000000000 +0800 @@ -56,12 +56,14 @@ webalizer_t oav_update_t httpd_user_script_t + run_init_t smbmount_t spamassassin_t checkpc_t clockspeed_cli_t gpg_pinentry_t hwclock_t + newrole_t dcc_client_t mozilla_t traceroute_t @@ -83,6 +85,7 @@ portage_sandbox_t evolution_alarm_t qmail_queue_t + groupadd_t backup_t chkpwd_t depmod_t @@ -93,6 +96,7 @@ siggen_t updpwd_t apt_t + chfn_t gift_t giftd_t lpr_t @@ -128,6 +132,7 @@ lockdev_t mplayer_t sysadm_sudo_t + useradd_t twadmin_t twprint_t xserver_t cao at cao-laptop:~/tmp/setools-3.3.7$ On 12/15/2011 03:17 PM, Harry Ciao wrote: > By default, any role attribute should be able to type their "own" types > that share the same prefix and used in the run interface. For example, > > role newrole_roles types newrole_t; > > so that the calling domain of the seutil_run_newrole() interface could > properly tansition into newrole_t. Without above role rule, the caller's > role won't be associated with newrole_t. > > Other role attributes such as useradd_roles, groupadd_roles, chfn_roles > and run_init_roles should be fixed in the same way. > --- > policy/modules/admin/usermanage.te | 3 +++ > policy/modules/system/selinuxutil.te | 2 ++ > 2 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te > index 530c988..8fc8052 100644 > --- a/policy/modules/admin/usermanage.te > +++ b/policy/modules/admin/usermanage.te > @@ -6,9 +6,11 @@ policy_module(usermanage, 1.16.1) > # > > attribute_role chfn_roles; > +role chfn_roles types chfn_t; > role system_r types chfn_t; > > attribute_role groupadd_roles; > +role groupadd_roles types groupadd_t; > > attribute_role passwd_roles; > roleattribute system_r passwd_roles; > @@ -17,6 +19,7 @@ attribute_role sysadm_passwd_roles; > roleattribute system_r sysadm_passwd_roles; > > attribute_role useradd_roles; > +role useradd_roles types useradd_t; > > type admin_passwd_exec_t; > files_type(admin_passwd_exec_t) > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index b3286c5..82268df 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -13,8 +13,10 @@ attribute can_write_binary_policy; > attribute can_relabelto_binary_policy; > > attribute_role newrole_roles; > +role newrole_roles types newrole_t; > > attribute_role run_init_roles; > +role run_init_roles types run_init_t; > role system_r types run_init_t; > > attribute_role semanage_roles;