[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

Sun, 21 Sep 2014 07:04:42 -0700 

commit:     40c1924391dda3a767afbd9c10d19183b5b2bb0e
Author:     Yuli Khodorkovskiy <ykhodorkovskiy <AT> tresys <DOT> com>
AuthorDate: Mon Sep 15 17:22:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:02:16 2014 +0000
URL:        
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40c19243

Remove duplicate role declarations

-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.

-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.

---
 policy/modules/roles/auditadm.te    | 1 -
 policy/modules/roles/staff.te       | 2 +-
 policy/modules/roles/sysadm.te      | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/system/userdomain.if | 2 +-
 5 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 834a065..9275a2d 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -6,7 +6,6 @@ policy_module(auditadm, 2.2.0)
 #
 
 role auditadm_r;
-role system_r;
 userdom_unpriv_user_template(auditadm)
 
 ########################################

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 27b49b1..631c70b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -5,7 +5,7 @@ policy_module(staff, 2.5.1)
 # Declarations
 #
 
-role staff_r;
+#role staff_r;
 
 userdom_unpriv_user_template(staff)
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 6265657..e4ae74e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -12,7 +12,7 @@ policy_module(sysadm, 2.7.1)
 ## </desc>
 gen_tunable(allow_ptrace, false)
 
-role sysadm_r;
+#role sysadm_r;
 
 userdom_admin_user_template(sysadm)
 

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 27431c7..5d89d99 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -8,7 +8,7 @@ policy_module(unprivuser, 2.5.1)
 # Declarations
 #
 
-role user_r;
+#role user_r;
 
 userdom_unpriv_user_template(user)
 

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 08139d9..16a95cc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
                attribute userdomain;
                type user_devpts_t, user_tty_device_t;
                class context contains;
+               role $1_r;
        ')
 
        attribute $1_file_type;
@@ -37,7 +38,6 @@ template(`userdom_base_user_template',`
        corecmd_bin_entry_type($1_t)
        domain_user_exemption_target($1_t)
        ubac_constrained($1_t)
-       role $1_r;
        role $1_r types $1_t;
        allow system_r $1_r;

Reply via email to