[selinux-policy: 945/3172] use role dominance in targeted for compatability with strict
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:26:42 UTC 2010
commit 37c85212a162b7f305fd570fa845b2959999834e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Nov 10 16:55:56 2005 +0000
use role dominance in targeted for compatability with strict
refpolicy/policy/modules/system/unconfined.if | 16 ----------------
refpolicy/policy/modules/system/unconfined.te | 8 ++++++++
refpolicy/policy/modules/system/userdomain.te | 3 ---
3 files changed, 8 insertions(+), 19 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 23a7b97..6e12ad1 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -248,22 +248,6 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
########################################
## <summary>
-## Add the unconfined domain to the specified role.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`unconfined_role',`
- gen_require(`
- type unconfined_t;
- ')
-
- role $1 types unconfined_t;
-')
-
-########################################
-## <summary>
## Add an alias type to the unconfined domain.
## </summary>
## <desc>
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ce40afb..486a30d 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,6 +25,12 @@ unconfined_domain_template(unconfined_t)
logging_send_syslog_msg(unconfined_t)
ifdef(`targeted_policy',`
+ # compatibility for switching from strict
+ dominance { role secadm_r { role system_r; }}
+ dominance { role sysadm_r { role system_r; }}
+ dominance { role user_r { role system_r; }}
+ dominance { role staff_r { role system_r; }}
+
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
@@ -120,5 +126,7 @@ ifdef(`targeted_policy',`
')
') dnl end TODO
+
+ # FIXME:
typeattribute unconfined_t direct_run_init;
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a108cbd..03861f3 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -64,9 +64,6 @@ ifdef(`targeted_policy',`
files_associate_tmp(user_home_dir_t)
fs_associate_tmpfs(user_home_dir_t)
- unconfined_role(user_r)
- unconfined_role(sysadm_r)
-
# dont need to use the full role_change()
allow sysadm_r system_r;
allow sysadm_r user_r;
More information about the scm-commits
mailing list