From 3d11a43da1704c7664361a58238d5f5617be0ada Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 8 Aug 2021 11:06:56 -0400 Subject: [PATCH] sudo, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge --- policy/modules/admin/sudo.if | 25 +++++++++++++++---------- policy/modules/roles/auditadm.te | 2 +- policy/modules/roles/secadm.te | 2 +- policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- 6 files changed, 20 insertions(+), 15 deletions(-) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index adca75133..32b4ff5b6 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -17,14 +17,19 @@ ## is the prefix for user_r). ## ## -## -## -## The user role. -## -## ## ## -## The user domain associated with the role. +## User domain for the role. +## +## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access ## ## # @@ -44,7 +49,7 @@ template(`sudo_role_template',` userdom_user_application_domain($1_sudo_t, sudo_exec_t) domain_interactive_fd($1_sudo_t) domain_role_change_exemption($1_sudo_t) - role $2 types $1_sudo_t; + role $4 types $1_sudo_t; ############################## # @@ -77,8 +82,8 @@ template(`sudo_role_template',` domtrans_pattern($3, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $3) - corecmd_bin_domtrans($1_sudo_t, $3) + corecmd_shell_domtrans($1_sudo_t, $2) + corecmd_bin_domtrans($1_sudo_t, $2) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; @@ -118,7 +123,7 @@ template(`sudo_role_template',` term_relabel_all_ttys($1_sudo_t) term_relabel_all_ptys($1_sudo_t) - auth_run_chk_passwd($1_sudo_t, $2) + auth_run_chk_passwd($1_sudo_t, $4) # sudo stores a token in the pam runtime directory auth_manage_pam_runtime_dirs($1_sudo_t) auth_manage_pam_runtime_files($1_sudo_t) diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index a796b776b..5d9bcdd11 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -52,7 +52,7 @@ optional_policy(` ') optional_policy(` - sudo_role_template(auditadm, auditadm_r, auditadm_t) + sudo_role_template(auditadm, auditadm_t, auditadm_application_exec_domain, auditadm_r) ') optional_policy(` diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index e61b0e8f3..ff1adbba3 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -65,7 +65,7 @@ optional_policy(` ') optional_policy(` - sudo_role_template(secadm, secadm_r, secadm_t) + sudo_role_template(secadm, secadm_t, secadm_application_exec_domain, secadm_r) ') optional_policy(` diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 9b84fa65c..055b57d0f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -49,7 +49,7 @@ optional_policy(` ') optional_policy(` - sudo_role_template(staff, staff_r, staff_t) + sudo_role_template(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e85dc30b6..007619646 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1012,7 +1012,7 @@ optional_policy(` ') optional_policy(` - sudo_role_template(sysadm, sysadm_r, sysadm_t) + sudo_role_template(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 00c29cb40..740135a98 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -155,7 +155,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - sudo_role_template(user, user_r, user_t) + sudo_role_template(user, user_t, user_application_exec_domain, user_r) ') optional_policy(`