* [refpolicy] [PATCH 1/1] Make role attributes able to type their "own" types.
2011-12-15 7:17 [refpolicy] [PATCH 1/1] Make role attributes able to type their "own" types Harry Ciao
@ 2011-12-16 6:28 ` Harry Ciao
2012-02-27 15:31 ` Christopher J. PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Harry Ciao @ 2011-12-16 6:28 UTC (permalink / raw)
To: refpolicy
BTW, by using "seinfo --role=sysadm_r -x" command, we could get a full
manifest of types that sysadm_r is able to type with. Below is the
difference between without and with this fix. We sure want the sysadm_r
able to type with newrole_t, useradd_t etc, don't we :-P
Thanks,
Harry
cao at cao-laptop:~/tmp/setools-3.3.7$ diff -up
/home/cao/tmp/sysadm_r_types.wrong /home/cao/tmp/sysadm_r_types.correct
--- /home/cao/tmp/sysadm_r_types.wrong 2011-12-16 14:24:21.000000000
+0800
+++ /home/cao/tmp/sysadm_r_types.correct 2011-12-16
14:23:32.000000000 +0800
@@ -56,12 +56,14 @@
webalizer_t
oav_update_t
httpd_user_script_t
+ run_init_t
smbmount_t
spamassassin_t
checkpc_t
clockspeed_cli_t
gpg_pinentry_t
hwclock_t
+ newrole_t
dcc_client_t
mozilla_t
traceroute_t
@@ -83,6 +85,7 @@
portage_sandbox_t
evolution_alarm_t
qmail_queue_t
+ groupadd_t
backup_t
chkpwd_t
depmod_t
@@ -93,6 +96,7 @@
siggen_t
updpwd_t
apt_t
+ chfn_t
gift_t
giftd_t
lpr_t
@@ -128,6 +132,7 @@
lockdev_t
mplayer_t
sysadm_sudo_t
+ useradd_t
twadmin_t
twprint_t
xserver_t
cao at cao-laptop:~/tmp/setools-3.3.7$
On 12/15/2011 03:17 PM, Harry Ciao wrote:
> By default, any role attribute should be able to type their "own" types
> that share the same prefix and used in the run interface. For example,
>
> role newrole_roles types newrole_t;
>
> so that the calling domain of the seutil_run_newrole() interface could
> properly tansition into newrole_t. Without above role rule, the caller's
> role won't be associated with newrole_t.
>
> Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
> and run_init_roles should be fixed in the same way.
> ---
> policy/modules/admin/usermanage.te | 3 +++
> policy/modules/system/selinuxutil.te | 2 ++
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 530c988..8fc8052 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -6,9 +6,11 @@ policy_module(usermanage, 1.16.1)
> #
>
> attribute_role chfn_roles;
> +role chfn_roles types chfn_t;
> role system_r types chfn_t;
>
> attribute_role groupadd_roles;
> +role groupadd_roles types groupadd_t;
>
> attribute_role passwd_roles;
> roleattribute system_r passwd_roles;
> @@ -17,6 +19,7 @@ attribute_role sysadm_passwd_roles;
> roleattribute system_r sysadm_passwd_roles;
>
> attribute_role useradd_roles;
> +role useradd_roles types useradd_t;
>
> type admin_passwd_exec_t;
> files_type(admin_passwd_exec_t)
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index b3286c5..82268df 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -13,8 +13,10 @@ attribute can_write_binary_policy;
> attribute can_relabelto_binary_policy;
>
> attribute_role newrole_roles;
> +role newrole_roles types newrole_t;
>
> attribute_role run_init_roles;
> +role run_init_roles types run_init_t;
> role system_r types run_init_t;
>
> attribute_role semanage_roles;
^ permalink raw reply [flat|nested] 3+ messages in thread* [refpolicy] [PATCH 1/1] Make role attributes able to type their "own" types.
2011-12-15 7:17 [refpolicy] [PATCH 1/1] Make role attributes able to type their "own" types Harry Ciao
2011-12-16 6:28 ` Harry Ciao
@ 2012-02-27 15:31 ` Christopher J. PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2012-02-27 15:31 UTC (permalink / raw)
To: refpolicy
On 12/15/11 02:17, Harry Ciao wrote:
> By default, any role attribute should be able to type their "own" types
> that share the same prefix and used in the run interface. For example,
>
> role newrole_roles types newrole_t;
>
> so that the calling domain of the seutil_run_newrole() interface could
> properly tansition into newrole_t. Without above role rule, the caller's
> role won't be associated with newrole_t.
>
> Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
> and run_init_roles should be fixed in the same way.
Merged.
> ---
> policy/modules/admin/usermanage.te | 3 +++
> policy/modules/system/selinuxutil.te | 2 ++
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 530c988..8fc8052 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -6,9 +6,11 @@ policy_module(usermanage, 1.16.1)
> #
>
> attribute_role chfn_roles;
> +role chfn_roles types chfn_t;
> role system_r types chfn_t;
>
> attribute_role groupadd_roles;
> +role groupadd_roles types groupadd_t;
>
> attribute_role passwd_roles;
> roleattribute system_r passwd_roles;
> @@ -17,6 +19,7 @@ attribute_role sysadm_passwd_roles;
> roleattribute system_r sysadm_passwd_roles;
>
> attribute_role useradd_roles;
> +role useradd_roles types useradd_t;
>
> type admin_passwd_exec_t;
> files_type(admin_passwd_exec_t)
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index b3286c5..82268df 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -13,8 +13,10 @@ attribute can_write_binary_policy;
> attribute can_relabelto_binary_policy;
>
> attribute_role newrole_roles;
> +role newrole_roles types newrole_t;
>
> attribute_role run_init_roles;
> +role run_init_roles types run_init_t;
> role system_r types run_init_t;
>
> attribute_role semanage_roles;
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread