reorganize tun patch changes.

4 files changed, 47 insertions, 50 deletions

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6292db55..3998b774 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -251,9 +251,6 @@ inherits socket
 class unix_dgram_socket
 inherits socket
 
-class tun_socket
-inherits socket
-
 #
 # Define the access vector interpretation for process-related objects
 #
@@ -802,3 +799,6 @@ class kernel_service
 	use_as_override
 	create_files_as	
 }
+
+class tun_socket
+inherits socket
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index b24099a6..4b6091f8 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -61,6 +61,25 @@ interface(`virt_stream_connect',`
 
 ########################################
 ## <summary>
+##	Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	allow $1 virtd_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
 ##	Read virt config files.
 ## </summary>
 ## <param name="domain">
@@ -327,22 +346,3 @@ interface(`virt_admin',`
 
 	virt_manage_log($1)
 ')
-
-########################################
-## <summary>
-##	Allow domain to attach to virt TUN devices
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`virt_attach_tun_iface',`
-	gen_require(`
-		type virtd_t;
-	')
-
-	allow $1 virtd_t:tun_socket relabelfrom;
-	allow $1 self:tun_socket relabelto;
-')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ec8c4956..57d58859 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1055,6 +1055,8 @@ template(`userdom_admin_user_template',`
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
 
+	typeattribute $1_t admin_tun_type;
+
 	ifdef(`direct_sysadm_daemon',`
 		domain_system_change_exemption($1_t)
 	')
@@ -1066,18 +1068,13 @@ template(`userdom_admin_user_template',`
 
 	allow $1_t self:capability ~{ sys_module audit_control audit_write };
 	allow $1_t self:process { setexec setfscreate };
-
+	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+	allow $1_t self:tun_socket create;
 	# Set password information for other users.
 	allow $1_t self:passwd { passwd chfn chsh };
-
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
-	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
-	allow $1_t self:tun_socket create;
-	typeattribute $1_t admin_tun_type;
-
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@@ -1288,6 +1285,25 @@ interface(`userdom_user_home_content',`
 
 ########################################
 ## <summary>
+##	Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_attach_admin_tun_iface',`
+	gen_require(`
+		attribute admin_tun_type;
+	')
+
+	allow $1 admin_tun_type:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
 ##	Set the attributes of a user pty.
 ## </summary>
 ## <param name="domain">
@@ -3028,22 +3044,3 @@ interface(`userdom_dbus_send_all_users',`
 
 	allow $1 userdomain:dbus send_msg;
 ')
-
-########################################
-## <summary>
-##	Allow domain to attach to TUN devices created by administrative users.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_attach_admin_tun_iface',`
-	gen_require(`
-		attribute admin_tun_type;
-	')
-
-	allow $1 admin_tun_type:tun_socket relabelfrom;
-	allow $1 self:tun_socket relabelto;
-')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f27fd8ad..8cfd9116 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -49,6 +49,8 @@ gen_tunable(user_rw_noexattrfile, false)
 ## </desc>
 gen_tunable(user_ttyfile_stat, false)
 
+attribute admin_tun_type;
+
 # all user domains
 attribute userdomain;
 
@@ -58,8 +60,6 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
-attribute admin_tun_type;
-
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)