[selinux-policy: 1319/3172] add back newrole functionality in rhel4
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:59:27 UTC 2010
commit 58a38222746be6242657f7ca4f3917db50c24749
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Mar 31 15:34:13 2006 +0000
add back newrole functionality in rhel4
refpolicy/policy/modules/admin/su.if | 57 ++++++++++++++++++++++++++++++++++
1 files changed, 57 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index b248a9a..2e1116f 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -61,6 +61,25 @@ template(`su_restricted_domain_template', `
miscfiles_read_localization($1_su_t)
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+ domain_obj_id_change_exemption($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
optional_policy(`
cron_read_pipes($1_su_t)
')
@@ -180,6 +199,44 @@ template(`su_per_userdomain_template',`
userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home_dirs($1,$1_su_t)
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+ domain_obj_id_change_exemption($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ # Relabel ttys and ptys.
+ term_relabel_all_user_ttys($1_su_t)
+ term_relabel_all_user_ptys($1_su_t)
+ # Close and re-open ttys and ptys to get the fd into the correct domain.
+ term_use_all_user_ttys($1_su_t)
+ term_use_all_user_ptys($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ ifdef(`strict_policy',`
+ if(secure_mode) {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+ ')
+
+ ifdef(`targeted_policy',`
+ unconfined_domtrans($1_su_t)
+ unconfined_signal($1_su_t)
+ ')
+ ')
+
ifdef(`enable_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
More information about the scm-commits
mailing list