[selinux-policy: 267/3172] start switching over to new tunable infrastructure
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:27:59 UTC 2010
commit 254bbc7bb3215e23402275345e443a4601f96bb7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jun 7 18:45:47 2005 +0000
start switching over to new tunable infrastructure
refpolicy/Makefile | 23 +++++----
refpolicy/policy/modules/admin/consoletype.te | 2 +-
refpolicy/policy/modules/admin/dmesg.te | 2 +-
refpolicy/policy/modules/kernel/bootloader.te | 8 ++--
refpolicy/policy/modules/kernel/terminal.if | 4 +-
refpolicy/policy/modules/services/cron.te | 4 +-
refpolicy/policy/modules/services/mta.te | 2 +-
refpolicy/policy/modules/system/authlogin.te | 2 +-
refpolicy/policy/modules/system/clock.te | 2 +-
refpolicy/policy/modules/system/hostname.te | 4 +-
refpolicy/policy/modules/system/hotplug.te | 4 +-
refpolicy/policy/modules/system/init.te | 12 ++--
refpolicy/policy/modules/system/iptables.te | 2 +-
refpolicy/policy/modules/system/locallogin.te | 2 +-
refpolicy/policy/modules/system/logging.te | 2 +-
refpolicy/policy/modules/system/lvm.te | 4 +-
refpolicy/policy/modules/system/mount.te | 2 +-
refpolicy/policy/modules/system/selinux.te | 6 +-
refpolicy/policy/modules/system/selinuxutil.te | 6 +-
refpolicy/policy/modules/system/sysnetwork.te | 4 +-
refpolicy/policy/modules/system/udev.te | 9 ++--
refpolicy/policy/modules/system/userdomain.te | 5 ++-
refpolicy/policy/support/loadable_module.spt | 64 +++++++++++++-----------
23 files changed, 92 insertions(+), 83 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 5066d50..c627f34 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -56,6 +56,7 @@ SETFILES := $(SBINDIR)/setfiles
SUPPORT := support
GENDOC := $(SUPPORT)/sedoctool.py
+FCSORT := $(SUPPORT)/fc_sort
XMLLINT := $(BINDIR)/xmllint
@@ -261,16 +262,15 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
# Create config files
#
conf $(MOD_DISABLE) $(TUNABLES): tmp/policy.xml
- $(QUIET) touch $(TUNABLES)
- @echo "Creating $(MOD_DISABLE)"
- @echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
- @echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE)
- @echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
- @echo "" >> $(MOD_DISABLE)
- @for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
- echo "#$$i" >> $(MOD_DISABLE) ;\
- done
- $(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES)
+ @echo "Creating $(MOD_DISABLE) and $(TUNABLES)"
+# @echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
+# @echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE)
+# @echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
+# @echo "" >> $(MOD_DISABLE)
+# @for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
+# echo "#$$i" >> $(MOD_DISABLE) ;\
+# done
+ $(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES) -m $(MOD_DISABLE)
########################################
#
@@ -299,6 +299,7 @@ $(FCPATH): $(FC) $(USERPATH)/system.users
$(QUIET) install -m 644 $(FC) $(FCPATH)
# $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
+ $(QUIET) $(FCSORT) $(FCPATH) $(FCPATH)
########################################
#
@@ -422,6 +423,8 @@ clean:
rm -f $(FC)
bare: clean
+ rm -f $(SUPPORT)/*.pyc
+ rm -f $(FCSORT)
rm -f $(MOD_DISABLE)
rm -f $(TUNABLES)
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index d3fd863..4560712 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -50,7 +50,7 @@ files_ignore_read_rootfs_file(consoletype_t)
libraries_use_dynamic_loader(consoletype_t)
libraries_use_shared_libraries(consoletype_t)
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
filesystem_use_tmpfs_character_devices(consoletype_t)
')
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 30b7389..eb8b780 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -49,7 +49,7 @@ miscfiles_read_localization(dmesg_t)
userdomain_use_admin_terminals(dmesg_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(dmesg_t)
terminal_ignore_use_general_pseudoterminal(dmesg_t)
files_ignore_read_rootfs_file(dmesg_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 7e40d50..6defbf2 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -139,13 +139,13 @@ miscfiles_read_localization(bootloader_t)
selinux_read_binary_policy(bootloader_t)
selinux_read_load_policy_binary(bootloader_t)
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
')
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
# for memlock
allow bootloader_t self:capability ipc_lock;
@@ -190,7 +190,7 @@ allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t var_t:dir search;
allow bootloader_t var_t:file { getattr read };
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
allow bootloader_t tmpfs_t:dir r_dir_perms;
@@ -203,7 +203,7 @@ tunable_policy(`distro_debian', `
can_exec(bootloader_t, usr_t)
')
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 535416b..44d6b21 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -62,11 +62,11 @@ define(`terminal_make_physical_terminal',`
# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
- tunable_policy(`distro_debian',`
+ ifdef(`distro_debian',`
type_change $1 ttyfile:chr_file $2;
')
- tunable_policy(`distro_redhat',`
+ ifdef(`distro_redhat',`
filesystem_tmpfs_associate($2)
')
')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 3c7fe1b..8f4b821 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -124,7 +124,7 @@ tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(crond_t)
terminal_ignore_use_general_pseudoterminal(crond_t)
files_ignore_read_rootfs_file(crond_t)
@@ -348,7 +348,7 @@ ifdef(`apache.te', `
allow system_crond_t httpd_log_t:file { getattr read };
')
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
optional_policy(`rpm.te', `
allow system_crond_t rpm_log_t:file create_file_perms;
')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index db452c5..643b174 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -27,7 +27,7 @@ type system_mail_t; #, user_mail_domain, nscd_client_domain;
domain_make_domain(system_mail_t)
role system_r types system_mail_t;
-tunable_policy(`targeted_policy',`',`
+ifdef(`targeted_policy',`',`
optional_policy(`sendmail.te', `
domain_make_entrypoint_file(system_mail_t,sendmail_exec_t)
', `
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 6c98d27..5b643a1 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -174,7 +174,7 @@ tunable_policy(`direct_sysadm_daemon', `
dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(pam_console_t)
terminal_ignore_use_general_pseudoterminal(pam_console_t)
files_ignore_read_rootfs_file(pam_console_t)
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 51a481a..5ba29d9 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -57,7 +57,7 @@ logging_send_system_log_message(hwclock_t)
miscfiles_read_localization(hwclock_t)
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hwclock_t)
terminal_ignore_use_general_pseudoterminal(hwclock_t)
files_ignore_read_rootfs_file(hwclock_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 4656474..178c4b6 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -54,11 +54,11 @@ miscfiles_read_localization(hostname_t)
userdomain_use_all_users_file_descriptors(hostname_t)
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
filesystem_use_tmpfs_character_devices(hostname_t)
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hostname_t)
terminal_ignore_use_general_pseudoterminal(hostname_t)
files_ignore_read_rootfs_file(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a80fa32..020d664 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -108,7 +108,7 @@ sysnetwork_read_network_config(hotplug_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(hotplug_t)
@@ -117,7 +117,7 @@ tunable_policy(`distro_redhat', `
files_get_system_lock_file_attributes(hotplug_t)
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t)
files_ignore_read_rootfs_file(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 7a1e77b..65bb7c9 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -139,7 +139,7 @@ selinux_read_config(init_t)
miscfiles_read_localization(init_t)
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
filesystem_use_tmpfs_character_devices(init_t)
filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
')
@@ -307,11 +307,11 @@ userdomain_read_all_users_data(initrc_t)
# started from init should be placed in their own domain.
userdomain_use_admin_terminals(initrc_t)
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
')
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
# this is from kmodule, which should get its own policy:
allow initrc_t self:capability sys_admin;
@@ -399,7 +399,7 @@ su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
@@ -407,12 +407,12 @@ tunable_policy(`distro_debian', `
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
')
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
# readahead asks for these
allow initrc_t var_lib_nfs_t:file { getattr read };
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 89c8fd2..9949f0f 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -96,7 +96,7 @@ optional_policy(`udev.te', `
udev_read_database(iptables_t)
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(iptables_t)
terminal_ignore_use_general_pseudoterminal(iptables_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index c296763..b5b127f 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -235,7 +235,7 @@ ifdef(`monolithic_policy',`
ifdef(`distro_debian', `define(`sulogin_no_pam')')
') dnl end monolithic_policy
-tunable_policy(`sulogin_no_pam', `
+ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
init_get_process_group(sulogin_t)
', `
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 1053f7d..beb0e0d 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -274,7 +274,7 @@ tunable_policy(`direct_sysadm_daemon',`
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
')
-tunable_policy(`distro_suse', `
+ifdef(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
')
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 00e3ac9..a58388f 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -135,12 +135,12 @@ selinux_read_config(lvm_t)
selinux_read_file_contexts(lvm_t)
selinux_newrole_sigchld(lvm_t)
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
# this is from the initrd:
files_modify_isid_type_dir(lvm_t)
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(lvm_t)
terminal_ignore_use_general_pseudoterminal(lvm_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 7cf5390..13d3ab2 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -68,7 +68,7 @@ miscfiles_read_localization(mount_t)
userdomain_use_all_users_file_descriptors(mount_t)
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
filesystem_use_tmpfs_character_devices(mount_t)
allow mount_t tmpfs_t:dir mounton;
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 4c84ad7..17a0c37 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -318,7 +318,7 @@ files_read_all_directories(restorecon_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t)
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
filesystem_use_tmpfs_character_devices(restorecon_t)
filesystem_use_tmpfs_block_devices(restorecon_t)
filesystem_relabel_tmpfs_block_devices(restorecon_t)
@@ -349,7 +349,7 @@ kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
-tunable_policy(`targeted_policy',`',`
+ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
@@ -394,7 +394,7 @@ tunable_policy(`targeted_policy',`',`
ifdef(`TODO',`
-tunable_policy(`distro_gentoo', `
+ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 4c84ad7..17a0c37 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -318,7 +318,7 @@ files_read_all_directories(restorecon_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t)
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
filesystem_use_tmpfs_character_devices(restorecon_t)
filesystem_use_tmpfs_block_devices(restorecon_t)
filesystem_relabel_tmpfs_block_devices(restorecon_t)
@@ -349,7 +349,7 @@ kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
-tunable_policy(`targeted_policy',`',`
+ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
@@ -394,7 +394,7 @@ tunable_policy(`targeted_policy',`',`
ifdef(`TODO',`
-tunable_policy(`distro_gentoo', `
+ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 27d68bf..f7ad7bd 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -140,7 +140,7 @@ ifdef(`distro_redhat', `
files_execute_system_config_script(dhcpc_t)
')
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(dhcpc_t)
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
@@ -205,7 +205,7 @@ allow hotplug_t dhcpc_t:process signal_perms;
allow hotplug_t dhcpc_var_run_t:file { getattr read };
allow hotplug_t dhcp_etc_t:file rw_file_perms;
allow dhcpc_t hotplug_etc_t:dir { getattr search };
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
logging_syslogd_transition(dhcpc_t)
')
')dnl end hotplug.te
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index b12a556..40e2b34 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -113,13 +113,13 @@ selinux_restorecon_transition(udev_t)
sysnetwork_ifconfig_transition(udev_t)
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
filesystem_manage_tmpfs_block_devices(udev_t)
filesystem_manage_tmpfs_character_devices(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(udev_t)
-') dnl end ifdef distro_redhat
+')
optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(udev_t)
@@ -156,12 +156,11 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev)
-# Ifdefs
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
allow udev_t tmpfs_t:sock_file create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
-') dnl end ifdef distro_redhat
+')
tunable_policy(`hide_broken_symptoms',`
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 9aae29c..877af67 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -99,7 +99,10 @@ role_change(sysadm, staff)
# only staff_r can change to sysadm_r
role_change(staff, sysadm)
-tunable_policy(`user_canbe_sysadm',`
+# this should be tunable_policy, but
+# currently type_change and RBAC allow
+# do not work in conditionals
+ifdef(`user_canbe_sysadm',`
role_change(user,sysadm)
')
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index a70719d..ad26530 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -9,9 +9,9 @@
# For adding the module statement
#
define(`policy_module',`
-ifdef(`monolithic_policy',`',`
-module $1 $2;
-')
+ ifdef(`monolithic_policy',`',`
+ module $1 $2;
+ ')
')
##############################
@@ -19,42 +19,46 @@ module $1 $2;
# For use in interfaces, to optionally insert a requires block
#
define(`requires_block_template',`
-ifdef(`monolithic_policy',`',`
-require {
-$1
-}
-') dnl end ifdef monolithic_policy
-') dnl end requires_block_template
+ ifdef(`monolithic_policy',`',`
+ require {
+ $1
+ }
+ ')
+')
##############################
#
# Optional policy handling
#
define(`optional_policy',`
-ifdef(`monolithic_policy',`
-ifdef(`$1',$2,$3)
-',`
-optional {
-$2
-} else {
-$3
-}
-') dnl end ifdef monolithic_policy
-') dnl end optional_policy
+ ifdef(`monolithic_policy',`
+ ifdef(`$1',$2,$3)
+ ',`
+ optional {
+ $2
+ } else {
+ $3
+ }
+ ')
+')
##############################
#
# Tunable policy handling
#
define(`tunable_policy',`
-ifdef(`monolithic_policy',`
-ifdef(`$1',$2,$3)
-',`
-optional {
-require { $1 }
-$2
-} else {
-$3
-}
-') dnl end ifdef monolithic_policy
-') dnl end tunable_policy
+ ifdef(`monolithic_policy',`
+ if (`$1') {
+ $2
+ } else {
+ $3
+ }
+ ',`
+ optional {
+ require { `$1' }
+ $2
+ } else {
+ $3
+ }
+ ')
+')
More information about the scm-commits
mailing list