lpd, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge
parent
8bdab0397c
commit
34f7b026ea
|
|
@ -131,7 +131,7 @@ ifndef(`distro_redhat',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_role(staff_r, staff_t)
|
||||
lpd_role(staff, staff_t, staff_application_exec_domain, staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -572,7 +572,7 @@ optional_policy(`
|
|||
|
||||
optional_policy(`
|
||||
lpd_run_checkpc(sysadm_t, sysadm_r)
|
||||
lpd_role(sysadm_r, sysadm_t)
|
||||
lpd_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ ifndef(`distro_redhat',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_role(user_r, user_t)
|
||||
lpd_role(user, user_t, user_application_exec_domain, user_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -4,18 +4,29 @@
|
|||
## <summary>
|
||||
## Role access for lpd.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## User domain for the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_exec_domain">
|
||||
## <summary>
|
||||
## User exec domain for execute and transition access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lpd_role',`
|
||||
template(`lpd_role',`
|
||||
gen_require(`
|
||||
attribute_role lpr_roles;
|
||||
type lpr_t, lpr_exec_t;
|
||||
|
|
@ -26,22 +37,26 @@ interface(`lpd_role',`
|
|||
# Declarations
|
||||
#
|
||||
|
||||
roleattribute $1 lpr_roles;
|
||||
roleattribute $4 lpr_roles;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Policy
|
||||
#
|
||||
|
||||
domtrans_pattern($2, lpr_exec_t, lpr_t)
|
||||
domtrans_pattern($3, lpr_exec_t, lpr_t)
|
||||
|
||||
allow $2 lpr_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($2, lpr_t)
|
||||
allow $3 lpr_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($3, lpr_t)
|
||||
|
||||
dontaudit lpr_t $2:unix_stream_socket { read write };
|
||||
dontaudit lpr_t $3:unix_stream_socket { read write };
|
||||
|
||||
optional_policy(`
|
||||
cups_read_config($2)
|
||||
cups_read_config($3)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_user_app_status($1, lpr_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue