From 4ace0fa5d60903c4b1273f3f362fe8e46d82183e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Jan 26 2006 18:04:57 +0000
Subject: add rolemap/per-userdomain infrastructure


---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index fa257c8..5b9a9b7 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,7 @@
+- Separate per-userdomain template expansion from the userdomain
+  module and add infrastructure to expand templates in the modules
+  that own the template.
+- Enable secadm only for MLS policies.
 - Remove role change rules in su and sudo since this functionality has been
   removed from these programs.
 - Add ctags Make target from Thomas Bleher.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 10f513b..ae8f7a5 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans
 MOD_CONF := $(POLDIR)/modules.conf
 TUNABLES := $(POLDIR)/tunables.conf
 BOOLEANS := $(POLDIR)/booleans.conf
+ROLEMAP := $(POLDIR)/rolemap
 
 # install paths
 TOPDIR = $(DESTDIR)/etc/selinux
@@ -183,6 +184,24 @@ OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == 
 
 ########################################
 #
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+	$(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \
+		awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+	$(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+	$(call parse-rolemap,$1,$2)
+	$(QUIET) echo "')" >> $2
+endef
+
+########################################
+#
 # Load appropriate rules
 #
 
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 8721f54..f4bb9b0 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp
 #
 tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
 	@echo "Compliling $(NAME) $(@F) module"
-	$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+	$(call peruser-expansion,$(basename $(@F)),$@.role)
+	$(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
 	$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
 tmp/%.mod.fc: $(M4SUPPORT) %.fc
@@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES)
 # define all available object classes
 	$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
 # per-userdomain templates
-	$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
-	$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \
+	$(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@
+	$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
 		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
 			>> $@ ;\
 	done
@@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),)
 endif
 	@test -d tmp || mkdir -p tmp
 	$(QUIET) cat $^ > $@
+	$(call parse-rolemap,base,$@)
 
 tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
 	@test -d tmp || mkdir -p tmp
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index 174bdde..7051ec0 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
 tmp/generated_definitions.conf: $(ALL_TE_FILES)
 # per-userdomain templates:
 	@test -d tmp || mkdir -p tmp
-	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
+	$(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@
 	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
 		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
 			>> $@ ;\
@@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),)
 endif
 	@test -d tmp || mkdir -p tmp
 	$(QUIET) cat $^ > $@
+	$(call parse-rolemap,base,$@)
 
 tmp/post_te_files.conf: $(POST_TE_FILES)
 	@test -d tmp || mkdir -p tmp
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index af67fcb..5ad0661 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -47,6 +47,9 @@ template(`irc_per_userdomain_template',`
 
 	type $1_irc_home_t;
 	userdom_home_file($1,$1_irc_home_t)
+
+	type $1_irc_tmp_t;
+	userdom_home_file($1,$1_irc_tmp_t)
 	
 	########################################
 	#
@@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',`
 	userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
 
 	# access files under /tmp
-	allow $1_irc_t $1_tmp_t:dir create_dir_perms;
-	allow $1_irc_t $1_tmp_t:file create_file_perms;
-	allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms;
-	allow $1_irc_t $1_tmp_t:sock_file create_file_perms;
-	allow $1_irc_t $1_tmp_t:fifo_file create_file_perms;
-	files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file })
+	allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
+	allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
+	allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
+	allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
+	allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
+	files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
 
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($2,irc_exec_t,$1_irc_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5a954dc..95a559e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',`
 #
 interface(`dev_getattr_agp_dev',`
 	gen_require(`
-		type device_t, dri_device_t;
+		type device_t, agp_device_t;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index e42a60e..477327c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',`
 template(`cron_admin_template',`
 	gen_require(`
 		attribute cron_spool_type;
+		type $1_crontab_t, $1_crond_t;
 	')
 
 	# Allow our crontab domain to unlink a user cron spool file.
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 358ae9c..3ed30bd 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',`
 ## </param>
 #
 template(`mta_admin_template',`
+	gen_require(`
+		type $1_mail_t;
+	')
+
 	ifdef(`strict_policy',`
 		# allow the sysadmin to do "mail someone < /home/user/whatever"
 		userdom_read_unpriv_user_home_files($1_mail_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 21032db..583b3c9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',`
 		allow system_chkpwd_t $2:process sigchld;
 	',`
 		gen_require(`
-			type chkpwd_exec_t;
+			type $1_chkpwd_t, chkpwd_exec_t;
 		')
 
 		corecmd_search_bin($2)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a070ebf..10ea2a7 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -142,13 +142,6 @@ template(`base_user_template',`
 
 	allow $1_t unpriv_userdomain:fd use;
 
-	# Instantiate derived domains for a number of programs.
-	# These derived domains encode both information about the calling
-	# user domain and the program, and allow us to maintain separation
-	# between different instances of the program being run by different
-	# user domains.
-	per_userdomain_templates($1,$1_t,$1_r)
-
 	kernel_read_kernel_sysctl($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_file($1_t)
@@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',`
 #
 template(`userdom_rw_user_tmpfs_files',`
 	gen_require(`
-		type $1_tmp_t;
+		type $1_tmpfs_t;
 	')
 
 	fs_search_tmpfs($2)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 374a6b7..3cd7f1d 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,8 +1,12 @@
 
-policy_module(userdomain,1.2.3)
+policy_module(userdomain,1.2.4)
 
 gen_require(`
-	role sysadm_r, staff_r, user_r, secadm_r;
+	role sysadm_r, staff_r, user_r;
+
+	ifdef(`enable_mls',`
+		role secadm_r;
+	')
 ')
 
 ########################################
@@ -111,7 +115,6 @@ ifdef(`targeted_policy',`
 	')
 ',`
 	admin_user_template(sysadm)
-	admin_user_template(secadm)
 	unpriv_user_template(staff)
 	unpriv_user_template(user)
 
@@ -122,7 +125,11 @@ ifdef(`targeted_policy',`
 
 	# only staff_r can change to sysadm_r
 	role_change(staff, sysadm)
-	role_change(staff, secadm)
+
+	ifdef(`enable_mls',`
+		admin_user_template(secadm)
+		role_change(staff, secadm)
+	')
 
 	# this should be tunable_policy, but
 	# currently type_change and RBAC allow
diff --git a/refpolicy/policy/rolemap b/refpolicy/policy/rolemap
new file mode 100644
index 0000000..012da6c
--- /dev/null
+++ b/refpolicy/policy/rolemap
@@ -0,0 +1,17 @@
+#
+# This file contains the mappings
+# used for per-userdomain template
+# infrastructure
+#
+# Each line has: role prefix user_domain
+#
+
+ifdef(`strict_policy',`
+	user_r user user_t
+	staff_r staff staff_t
+	sysadm_r sysadm sysadm_t
+
+	ifdef(`enable_mls',`
+		secadm_r secadm secadm_t
+	')
+')