From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 27 Feb 2012 10:31:12 -0500
Subject: [refpolicy] [PATCH 1/1] Make role attributes able to type their
	"own" types.
In-Reply-To: <1323933437-10078-1-git-send-email-qingtao.cao@windriver.com>
References: <1323933437-10078-1-git-send-email-qingtao.cao@windriver.com>
Message-ID: <4F4BA1C0.6040103@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/15/11 02:17, Harry Ciao wrote:
> By default, any role attribute should be able to type their "own" types
> that share the same prefix and used in the run interface. For example,
> 
> role newrole_roles types newrole_t;
> 
> so that the calling domain of the seutil_run_newrole() interface could
> properly tansition into newrole_t. Without above role rule, the caller's
> role won't be associated with newrole_t.
> 
> Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
> and run_init_roles should be fixed in the same way.

Merged.

> ---
>  policy/modules/admin/usermanage.te   |    3 +++
>  policy/modules/system/selinuxutil.te |    2 ++
>  2 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 530c988..8fc8052 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -6,9 +6,11 @@ policy_module(usermanage, 1.16.1)
>  #
>  
>  attribute_role chfn_roles;
> +role chfn_roles types chfn_t;
>  role system_r types chfn_t;
>  
>  attribute_role groupadd_roles;
> +role groupadd_roles types groupadd_t;
>  
>  attribute_role passwd_roles;
>  roleattribute system_r passwd_roles;
> @@ -17,6 +19,7 @@ attribute_role sysadm_passwd_roles;
>  roleattribute system_r sysadm_passwd_roles;
>  
>  attribute_role useradd_roles;
> +role useradd_roles types useradd_t;
>  
>  type admin_passwd_exec_t;
>  files_type(admin_passwd_exec_t)
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index b3286c5..82268df 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -13,8 +13,10 @@ attribute can_write_binary_policy;
>  attribute can_relabelto_binary_policy;
>  
>  attribute_role newrole_roles;
> +role newrole_roles types newrole_t;
>  
>  attribute_role run_init_roles;
> +role run_init_roles types run_init_t;
>  role system_r types run_init_t;
>  
>  attribute_role semanage_roles;


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com