Return-Path: <SRS0=ViyY=PP=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,
	USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CC483C43387
	for <selinux-refpolicy@archiver.kernel.org>; Mon,  7 Jan 2019 03:04:11 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 863B32085B
	for <selinux-refpolicy@archiver.kernel.org>; Mon,  7 Jan 2019 03:04:11 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="AUDerw4T"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726298AbfAGDEL (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sun, 6 Jan 2019 22:04:11 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:50340 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726176AbfAGDEK (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 6 Jan 2019 22:04:10 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 64A84EC76
        for <selinux-refpolicy@vger.kernel.org>; Mon,  7 Jan 2019 14:04:08 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1546830249;
        bh=LGB1gnhFoF1XG8PxRwwMEzvMZmRwbirIVo+xhLW1CuQ=; l=4587;
        h=Date:From:To:Subject:From;
        b=AUDerw4THGoJxb4uLnNFJmwwTBZMh/O3iFmcgF2KnKe3RBqy+x50eHqx+23XbR7Um
         Je1Pxfuowm0MwnZbsWvQfkWpjlR0ctp/IsRPO6p4iVRRLCXU0uwLegt9i9JkWjgoFu
         okQdV+xylx346xviNi5rBPqPuBH7eJ7Kawsul8k4=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id BFAFAC3DBCE; Mon,  7 Jan 2019 14:04:02 +1100 (AEDT)
Date:   Mon, 7 Jan 2019 14:04:02 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH cron 1/2] stem
Message-ID: <20190107030402.GA29392@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This patch makes the parameter the stem of the user role (EG "user") instead
of the user domain (EG "user_t") the parameter.  Separate from the next patch
to make things easier to understand.

Index: refpolicy-2.20180701/policy/modules/services/cron.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.if
+++ refpolicy-2.20180701/policy/modules/services/cron.if
@@ -51,15 +51,16 @@ template(`cron_common_crontab_template',
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	stem of domain for the role.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
-		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t, crond_t;
+		type cronjob_t;
+		type crontab_exec_t, crond_t;
+		type crontab_t, user_cron_spool_t;
 		bool cron_userdomain_transition;
 	')
 
@@ -68,47 +69,48 @@ interface(`cron_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t crontab_t };
+	role $1 types { cronjob_t };
+	role $1 types { crontab_t };
 
 	##############################
 	#
 	# Local policy
 	#
 
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
+	domtrans_pattern($2_t, crontab_exec_t, crontab_t)
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+	dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
+	allow $2_t crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2_t user_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
+	allow $2_t crontab_t:process { ptrace signal_perms };
+	ps_process_pattern($2_t, crontab_t)
 
 	corecmd_exec_bin(crontab_t)
 	corecmd_exec_shell(crontab_t)
 
 	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
+		allow crond_t $2_t:process transition;
+		allow crond_t $2_t:fd use;
+		allow crond_t $2_t:key manage_key_perms;
 
-		allow $2 user_cron_spool_t:file entrypoint;
+		allow $2_t user_cron_spool_t:file entrypoint;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
+		allow $2_t cronjob_t:process { ptrace signal_perms };
+		ps_process_pattern($2_t, cronjob_t)
 	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+		dontaudit crond_t $2_t:process transition;
+		dontaudit crond_t $2_t:fd use;
+		dontaudit crond_t $2_t:key manage_key_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+		dontaudit $2_t user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
 
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
+		dontaudit $2_t cronjob_t:process { ptrace signal_perms };
 	')
 
 	optional_policy(`
@@ -118,7 +120,7 @@ interface(`cron_role',`
 
 		dbus_stub(cronjob_t)
 
-		allow cronjob_t $2:dbus send_msg;
+		allow cronjob_t $2_t:dbus send_msg;
 	')
 ')
 
Index: refpolicy-2.20180701/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20180701/policy/modules/roles/staff.te
@@ -82,7 +82,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(staff_r, staff_t)
+		cron_role(staff_r, staff)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te
@@ -50,7 +50,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(user_r, user_t)
+		cron_role(user_r, user)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20180701/policy/modules/system/unconfined.te
@@ -82,7 +82,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_unconfined_role(unconfined_r, unconfined_t)
+	cron_role(unconfined_r, unconfined)
 ')
 
 optional_policy(`