dirmngr, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-08-08 11:42:38 -04:00
parent 95cf374eee
commit 8875024efc
4 changed files with 28 additions and 13 deletions

View File

@ -99,7 +99,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
dirmngr_role(staff_r, staff_t)
dirmngr_role(staff, staff_t, staff_application_exec_domain, staff_r)
')
optional_policy(`

View File

@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
dirmngr_role(sysadm_r, sysadm_t)
dirmngr_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
optional_policy(`

View File

@ -63,7 +63,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
dirmngr_role(user_r, user_t)
dirmngr_role(user, user_t, user_application_exec_domain, user_r)
')
optional_policy(`

View File

@ -4,34 +4,49 @@
## <summary>
## Role access for dirmngr.
## </summary>
## <param name="role">
## <param name="role_prefix">
## <summary>
## Role allowed access.
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <param name="user_domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
## <param name="user_exec_domain">
## <summary>
## User exec domain for execute and transition access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
#
interface(`dirmngr_role',`
template(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
type dirmngr_tmp_t;
')
role $1 types dirmngr_t;
role $4 types dirmngr_t;
domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
domtrans_pattern($3, dirmngr_exec_t, dirmngr_t)
allow $2 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($2, dirmngr_t)
allow $3 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($3, dirmngr_t)
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file rw_inherited_fifo_file_perms;
allow dirmngr_t $3:fd use;
allow dirmngr_t $3:fifo_file rw_inherited_fifo_file_perms;
allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
optional_policy(`
systemd_user_app_status($1, dirmngr_t)
')
')
########################################