[selinux-policy: 1319/3172] add back newrole functionality in rhel4

[Daniel J Walsh]

commit 58a38222746be6242657f7ca4f3917db50c24749
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Mar 31 15:34:13 2006 +0000

    add back newrole functionality in rhel4

 refpolicy/policy/modules/admin/su.if |   57 ++++++++++++++++++++++++++++++++++
 1 files changed, 57 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index b248a9a..2e1116f 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -61,6 +61,25 @@ template(`su_restricted_domain_template', `
 
 	miscfiles_read_localization($1_su_t)
 
+	ifdef(`distro_rhel4',`
+		domain_role_change_exemption($1_su_t)
+		domain_subj_id_change_exemption($1_su_t)
+		domain_obj_id_change_exemption($1_su_t)
+
+		selinux_get_fs_mount($1_su_t)
+		selinux_validate_context($1_su_t)
+		selinux_compute_access_vector($1_su_t)
+		selinux_compute_create_context($1_su_t)
+		selinux_compute_relabel_context($1_su_t)
+		selinux_compute_user_contexts($1_su_t)
+
+		seutil_read_config($1_su_t)
+		seutil_read_default_contexts($1_su_t)
+
+		# Only allow transitions to unprivileged user domains.
+		userdom_spec_domtrans_unpriv_users($1_su_t)
+	')
+
 	optional_policy(`
 		cron_read_pipes($1_su_t)
 	')
@@ -180,6 +199,44 @@ template(`su_per_userdomain_template',`
 	userdom_use_user_terminals($1,$1_su_t)
 	userdom_search_user_home_dirs($1,$1_su_t)
 
+	ifdef(`distro_rhel4',`
+		domain_role_change_exemption($1_su_t)
+		domain_subj_id_change_exemption($1_su_t)
+		domain_obj_id_change_exemption($1_su_t)
+
+		selinux_get_fs_mount($1_su_t)
+		selinux_validate_context($1_su_t)
+		selinux_compute_access_vector($1_su_t)
+		selinux_compute_create_context($1_su_t)
+		selinux_compute_relabel_context($1_su_t)
+		selinux_compute_user_contexts($1_su_t)
+
+		# Relabel ttys and ptys.
+		term_relabel_all_user_ttys($1_su_t)
+		term_relabel_all_user_ptys($1_su_t)
+		# Close and re-open ttys and ptys to get the fd into the correct domain.
+		term_use_all_user_ttys($1_su_t)
+		term_use_all_user_ptys($1_su_t)
+
+		seutil_read_config($1_su_t)
+		seutil_read_default_contexts($1_su_t)
+
+		ifdef(`strict_policy',`
+			if(secure_mode) {
+				# Only allow transitions to unprivileged user domains.
+				userdom_spec_domtrans_unpriv_users($1_su_t)
+			} else {
+				# Allow transitions to all user domains
+				userdom_spec_domtrans_all_users($1_su_t)
+			}
+		')
+
+		ifdef(`targeted_policy',`
+			unconfined_domtrans($1_su_t)
+			unconfined_signal($1_su_t)
+		')
+	')
+
 	ifdef(`enable_polyinstantiation',`
 		fs_mount_xattr_fs($1_su_t)
 		fs_unmount_xattr_fs($1_su_t)