From 2efb746c678589d77fa0e5dc8d22bc82b4ac5383 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 8 Aug 2021 12:36:02 -0400 Subject: [PATCH] thunderbird, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge --- policy/modules/apps/thunderbird.if | 35 +++++++++++++++++++++--------- policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index 9c5f0b911..6c6017e08 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -4,39 +4,54 @@ ## ## Role access for thunderbird. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`thunderbird_role',` +template(`thunderbird_role',` gen_require(` attribute_role thunderbird_roles; type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; type thunderbird_tmpfs_t; ') - roleattribute $1 thunderbird_roles; + roleattribute $4 thunderbird_roles; - domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) + domtrans_pattern($3, thunderbird_exec_t, thunderbird_t) - stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) + stream_connect_pattern($3, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) - allow thunderbird_t $2:unix_stream_socket connectto; + allow thunderbird_t $3:unix_stream_socket connectto; - allow $2 thunderbird_t:process { ptrace signal_perms }; - ps_process_pattern($2, thunderbird_t) + allow $3 thunderbird_t:process { ptrace signal_perms }; + ps_process_pattern($3, thunderbird_t) allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") + + optional_policy(` + systemd_user_app_status($1, thunderbird_t) + ') ') ######################################## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index d85f8de2a..a5e66f830 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -183,7 +183,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - thunderbird_role(staff_r, staff_t) + thunderbird_role(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index cad8a232d..73f175d0a 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1049,7 +1049,7 @@ optional_policy(` ') optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) + thunderbird_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 829546399..6a1afddff 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -167,7 +167,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - thunderbird_role(user_r, user_t) + thunderbird_role(user, user_t, user_application_exec_domain, user_r) ') optional_policy(`