diff options
| author |   Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> | 2014-09-15 13:22:27 -0400 |
|---|---|---|
| committer |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-09-21 16:02:16 +0200 |
| commit | 40c1924391dda3a767afbd9c10d19183b5b2bb0e (patch) | |
| tree | 19866bc5d492b9d583f2f13fffb97aa4220a318b | |
| parent | /dev/log symlinks are not labeled devlog_t. (diff) | |
| download | hardened-refpolicy-40c1924391dda3a767afbd9c10d19183b5b2bb0e.tar.gz hardened-refpolicy-40c1924391dda3a767afbd9c10d19183b5b2bb0e.tar.bz2 hardened-refpolicy-40c1924391dda3a767afbd9c10d19183b5b2bb0e.zip | |
Remove duplicate role declarations
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.
-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
| -rw-r--r-- | policy/modules/roles/auditadm.te | 1 | ||||
| -rw-r--r-- | policy/modules/roles/staff.te | 2 | ||||
| -rw-r--r-- | policy/modules/roles/sysadm.te | 2 | ||||
| -rw-r--r-- | policy/modules/roles/unprivuser.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 2 |
5 files changed, 4 insertions, 5 deletions
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index 834a065de..9275a2d5a 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -6,7 +6,6 @@ policy_module(auditadm, 2.2.0) # role auditadm_r; -role system_r; userdom_unpriv_user_template(auditadm) ######################################## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 27b49b104..631c70b64 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -5,7 +5,7 @@ policy_module(staff, 2.5.1) # Declarations # -role staff_r; +#role staff_r; userdom_unpriv_user_template(staff) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 6265657a5..e4ae74e0d 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -12,7 +12,7 @@ policy_module(sysadm, 2.7.1) ## </desc> gen_tunable(allow_ptrace, false) -role sysadm_r; +#role sysadm_r; userdom_admin_user_template(sysadm) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 27431c7b5..5d89d99bf 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -8,7 +8,7 @@ policy_module(unprivuser, 2.5.1) # Declarations # -role user_r; +#role user_r; userdom_unpriv_user_template(user) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 08139d931..16a95ccdc 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -27,6 +27,7 @@ template(`userdom_base_user_template',` attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; + role $1_r; ') attribute $1_file_type; @@ -37,7 +38,6 @@ template(`userdom_base_user_template',` corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) - role $1_r; role $1_r types $1_t; allow system_r $1_r; |