From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
Date: Mon, 20 Sep 2010 10:34:28 -0400
Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined
Message-ID: <4C9770F4.9070602@tycho.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I fixed the hadoop patch based on all of the feedback I received.  Added role support for sysadm_r to all of the services and programs.  Steve and I were not able to successfully use init_script_domain.  The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface.  It was also causing problems with sysadm_r.  I split up the patches since it was huge. 

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>

---
 policy/modules/system/unconfined.if |   25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e668..3364eb3 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',`
 
 ########################################
 ## <summary>
+##	Allow a program to enter the specified domain through the
+## 	unconfined role.
+## </summary>
+## <desc>
+##	<p>
+##	Allow unconfined role to execute the specified program in
+##	the specified domain.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`unconfined_roletrans',`
+	gen_require(`
+		role unconfined_r;
+	')
+
+	role unconfined_r types $1;
+')
+
+########################################
+## <summary>
 ##	Allow unconfined to execute the specified program in
 ##	the specified domain.  Allow the specified domain the
 ##	unconfined role and use of unconfined user terminals.