add main part of role-o-matic

Hanjey · Sep 6, 2006 · bbcd3c9 · bbcd3c9
1 parent 75beb95
commit bbcd3c9
Show file tree

Hide file tree

Showing 122 changed files with 1,416 additions and 658 deletions.
diff --git a/Changelog b/Changelog
@@ -1,3 +1,4 @@
+- Add role infrastructure.
 - Debian updates from Erich Schubert.
 - Add nscd_socket_use() to auth_use_nsswitch().
 - Remove old selopt rules.

diff --git a/Makefile b/Makefile
@@ -295,17 +295,46 @@ filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\
 # Functions
 #
 
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
 # parse-rolemap modulename,outputfile
 define parse-rolemap
 	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
 endef
 
-# peruser-expansion modulename,outputfile
-define peruser-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+# perrole-expansion modulename,outputfile
+define perrole-expansion
+	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
 	$(call parse-rolemap,$1,$2)
 	$(verbose) echo "')" >> $2
+
+	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+	$(call parse-rolemap-compat,$1,$2)
+	$(verbose) echo "')" >> $2
+endef
+
+# create-base-per-role-tmpl modulenames,outputfile
+define create-base-per-role-tmpl
+	$(verbose) echo "define(\`base_per_role_template',\`" >> $2
+
+	$(verbose) for i in $1; do \
+		echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
+			>> $2 ;\
+	done
+
+	$(verbose) for i in $1; do \
+		echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
+		echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
+		echo """$$i""_per_userdomain_template("'$$*'")')"  >> $2 ;\
+	done
+	$(verbose) echo "')" >> $@
+
 endef
 
 ########################################

diff --git a/Rules.modular b/Rules.modular
@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
 	@echo "Compliling $(NAME) $(@F) module"
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
-	$(call peruser-expansion,$(basename $(@F)),$@.role)
+	$(call perrole-expansion,$(basename $(@F)),$@.role)
 	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
@@ -120,13 +120,7 @@ $(tmpdir)/generated_definitions.conf: $(base_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 # define all available object classes
 	$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates
-	$(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
-	$(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
-		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
-			>> $@ ;\
-	done
-	$(verbose) echo "')" >> $@
+	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
 
 $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy

diff --git a/Rules.monolithic b/Rules.monolithic
@@ -114,11 +114,7 @@ $(tmpdir)/generated_definitions.conf: $(all_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 # define all available object classes
 	$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates:
-	$(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
-	$(verbose) $(foreach mod,$(basename $(notdir $(all_modules))), \
-		echo "ifdef(\`""$(mod)""_per_userdomain_template',\`""$(mod)""_per_userdomain_template("'$$*'")')" >> $@ ;)
-	$(verbose) echo "')" >> $@
+	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
 
 $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)

diff --git a/doc/policy.dtd b/doc/policy.dtd
@@ -20,9 +20,9 @@
       name CDATA #REQUIRED
       dftval CDATA #REQUIRED>
 <!ELEMENT summary (#PCDATA)>
-<!ELEMENT interface (summary,desc?,param+,infoflow?)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
 <!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT template (summary,desc?,param+)>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
 <!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
 <!ELEMENT desc (#PCDATA|%inline.class;)*>
 <!ELEMENT param (summary)>
@@ -33,6 +33,8 @@
 <!ATTLIST infoflow 
       type CDATA #REQUIRED
       weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>
 
 <!ATTLIST pre caption CDATA #IMPLIED>
 <!ELEMENT p (#PCDATA|%inline.class;)*>

diff --git a/policy/global_tunables b/policy/global_tunables
@@ -534,13 +534,6 @@ gen_tunable(user_net_control,false)
 ## </desc>
 gen_tunable(user_rw_noexattrfile,false)
 
-## <desc>
-## <p>
-## Allow users to rw usb devices
-## </p>
-## </desc>
-gen_tunable(user_rw_usb,false)
-
 ## <desc>
 ## <p>
 ## Allow users to run TCP servers (bind to ports and accept connection from

diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
@@ -43,6 +43,7 @@ interface(`amanda_domtrans_recover',`
 ##	The type of the terminal allow the amanda_recover domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`amanda_run_recover',`
 	gen_require(`

diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
@@ -45,6 +45,7 @@ interface(`apt_domtrans',`
 ##	The type of the terminal allow the apt domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apt_run',`
 	gen_require(`

diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
@@ -41,6 +41,7 @@ interface(`backup_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`backup_run',`
 	gen_require(`

diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
@@ -43,6 +43,7 @@ interface(`bootloader_domtrans',`
 ##	The type of the terminal allow the bootloader domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bootloader_run',`
 	gen_require(`
@@ -83,6 +84,7 @@ interface(`bootloader_read_config',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bootloader_rw_config',`
 	gen_require(`

diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
@@ -47,6 +47,7 @@ interface(`certwatch_domtrans',`
 ##	The type of the terminal allow the certwatch domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`certwatach_run',`
 	gen_require(`

diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
@@ -66,6 +66,7 @@ interface(`consoletype_run',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`consoletype_exec',`
 	gen_require(`

diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
@@ -43,6 +43,7 @@ interface(`ddcprobe_domtrans',`
 ##	The type of the terminal allow the clock domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ddcprobe_run',`
 	gen_require(`

diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
@@ -42,6 +42,7 @@ interface(`dmesg_domtrans',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dmesg_exec',`
 	ifdef(`targeted_policy',`

diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
@@ -43,6 +43,7 @@ interface(`dmidecode_domtrans',`
 ##	The type of the terminal allow the dmidecode domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dmidecode_run',`
 	gen_require(`

diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
@@ -71,6 +71,7 @@ interface(`dpkg_domtrans_script',`
 ##	The type of the terminal allow the dpkg domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dpkg_run',`
 	gen_require(`

diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
@@ -43,6 +43,7 @@ interface(`kudzu_domtrans',`
 ##	The type of the terminal allow the kudzu domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kudzu_run',`
 	gen_require(`

diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
@@ -43,6 +43,7 @@ interface(`logrotate_domtrans',`
 ##	The type of the terminal allow the logrotate domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logrotate_run',`
 	gen_require(`

diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
@@ -43,6 +43,7 @@ interface(`netutils_domtrans',`
 ##	The type of the terminal allow the netutils domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run',`
 	gen_require(`
@@ -151,6 +152,7 @@ interface(`netutils_signal_ping',`
 ##	The type of the terminal allow the ping domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_ping',`
 	gen_require(`
@@ -182,6 +184,7 @@ interface(`netutils_run_ping',`
 ##	The type of the terminal allow the ping domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_ping_cond',`
 	gen_require(`
@@ -258,6 +261,7 @@ interface(`netutils_domtrans_traceroute',`
 ##	The type of the terminal allow the traceroute domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_traceroute',`
 	gen_require(`
@@ -289,6 +293,7 @@ interface(`netutils_run_traceroute',`
 ##	The type of the terminal allow the traceroute domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_traceroute_cond',`
 	gen_require(`

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
@@ -54,6 +54,7 @@ interface(`portage_domtrans',`
 ##	The type of the terminal allow for portage to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portage_run',`
 	gen_require(`
@@ -394,6 +395,7 @@ interface(`portage_domtrans_gcc_config',`
 ##	The type of the terminal allow for gcc_config to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portage_run_gcc_config',`
 	gen_require(`

diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
@@ -43,6 +43,7 @@ interface(`quota_domtrans',`
 ##	The type of the terminal allow the quota domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`quota_run',`
 	gen_require(`

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
@@ -68,6 +68,7 @@ interface(`rpm_domtrans_script',`
 ##	The type of the terminal allow the RPM domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpm_run',`
 	gen_require(`

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
@@ -127,7 +127,7 @@ template(`su_restricted_domain_template', `
 
 #######################################
 ## <summary>
-##	The per user domain template for the su module.
+##	The per role template for the su module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -158,7 +158,7 @@ template(`su_restricted_domain_template', `
 ##	</summary>
 ## </param>
 #
-template(`su_per_userdomain_template',`
+template(`su_per_role_template',`
 	gen_require(`
 		type su_exec_t;
 		bool secure_mode;

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the sudo module.
+##	The per role template for the sudo module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`sudo_per_userdomain_template',`
+template(`sudo_per_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;

diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if
@@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sxid_read_log',`
 	gen_require(`

diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
@@ -54,6 +54,7 @@ interface(`tripwire_domtrans_tripwire',`
 ##	The type of the terminal allow the tripwire domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_tripwire',`
 	gen_require(`
@@ -106,6 +107,7 @@ interface(`tripwire_domtrans_twadmin',`
 ##	The type of the terminal allow the twadmin domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_twadmin',`
 	gen_require(`
@@ -158,6 +160,7 @@ interface(`tripwire_domtrans_twprint',`
 ##	The type of the terminal allow the twprint domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_twprint',`
 	gen_require(`
@@ -210,6 +213,7 @@ interface(`tripwire_domtrans_siggen',`
 ##	The type of the terminal allow the siggen domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_siggen',`
 	gen_require(`

diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
@@ -45,6 +45,7 @@ interface(`usbmodules_domtrans',`
 ##	The type of the terminal allow the usbmodules domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usbmodules_run',`
 	gen_require(`