Fix users for SELinux userspace 3.4

Latest yet to be released userspace version 3.4 added new validation and discovered several issues in current implementation. This patch tries to address them: - move guest and xguest module from contrib to roles - refpolicy did this change long time ago - roles guest_r and xguest_r need to be defined in kernel.te - gen_user() is supposed to be in policy/users, not in modules - drop role multiple definitions from userdom_base_user_template as it's and is supposed to be defined in kernel.te
fedora-selinux · May 2, 2022 · e1e216b · e1e216b
1 parent e5475f5
commit e1e216b
Show file tree

Hide file tree

Showing 9 changed files with 9 additions and 8 deletions.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
@@ -39,6 +39,9 @@ role user_r;
 # here until order dependence is fixed:
 role unconfined_r;
 
+role guest_r;
+role xguest_r;
+
 ifdef(`enable_mls',`
 	role secadm_r;
 	role auditadm_r;

diff --git a/policy/modules/contrib/guest.fc → policy/modules/roles/guest.fc b/policy/modules/contrib/guest.fc → policy/modules/roles/guest.fc
diff --git a/policy/modules/contrib/guest.if → policy/modules/roles/guest.if b/policy/modules/contrib/guest.if → policy/modules/roles/guest.if
diff --git a/policy/modules/contrib/guest.te → policy/modules/roles/guest.te b/policy/modules/contrib/guest.te → policy/modules/roles/guest.te
@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0)
 # Declarations
 #
 
-role guest_r;
+# role guest_r;
 
 userdom_restricted_user_template(guest)
 
@@ -20,4 +20,4 @@ optional_policy(`
 	apache_role(guest_r, guest_t)
 ')
 
-gen_user(guest_u, user, guest_r, s0, s0)
+# gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
@@ -399,5 +399,4 @@ optional_policy(`
 	xserver_xsession_entry_type(unconfined_t)
 ')
 
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
+# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/contrib/xguest.fc → policy/modules/roles/xguest.fc b/policy/modules/contrib/xguest.fc → policy/modules/roles/xguest.fc
diff --git a/policy/modules/contrib/xguest.if → policy/modules/roles/xguest.if b/policy/modules/contrib/xguest.if → policy/modules/roles/xguest.if
diff --git a/policy/modules/contrib/xguest.te → policy/modules/roles/xguest.te b/policy/modules/contrib/xguest.te → policy/modules/roles/xguest.te
@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true)
 ## </desc>
 gen_tunable(xguest_use_bluetooth, true)
 
-role xguest_r;
+# role xguest_r;
 
 userdom_restricted_xwindows_user_template(xguest)
 sysnet_dns_name_resolve(xguest_t)
@@ -203,4 +203,4 @@ optional_policy(`
 	role xguest_r types mozilla_t;
 ')
 
-gen_user(xguest_u, user, xguest_r, s0, s0)
+# gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
@@ -27,19 +27,18 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
+		role $1_r;
 	')
 
 	attribute $1_file_type;
 	attribute $1_usertype;
 
 	type $1_t, userdomain, $1_usertype;
 	domain_type($1_t)
-	role $1_r;
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	ubac_constrained($1_t)
-	role $1_r;
 	role $1_r types $1_t;
 	allow system_r $1_r;