From b591857dcd42435eb8b1d10c143b774edaa3dc46 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 8 Aug 2021 12:54:41 -0400 Subject: [PATCH] cryfs, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge --- policy/modules/apps/cryfs.if | 31 +++++++++++++++++++++++-------- policy/modules/roles/sysadm.te | 2 +- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/policy/modules/apps/cryfs.if b/policy/modules/apps/cryfs.if index 300a00ad4..d0bece917 100644 --- a/policy/modules/apps/cryfs.if +++ b/policy/modules/apps/cryfs.if @@ -4,18 +4,29 @@ ## ## Role access for CryFS. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`cryfs_role',` +template(`cryfs_role',` gen_require(` attribute_role cryfs_roles; type cryfs_t, cryfs_exec_t; @@ -26,15 +37,19 @@ interface(`cryfs_role',` # Declarations # - roleattribute $1 cryfs_roles; + roleattribute $4 cryfs_roles; ######################################## # # Policy # - domtrans_pattern($2, cryfs_exec_t, cryfs_t) + domtrans_pattern($3, cryfs_exec_t, cryfs_t) - allow $2 cryfs_t:process signal_perms; - ps_process_pattern($2, cryfs_t) + allow $3 cryfs_t:process signal_perms; + ps_process_pattern($3, cryfs_t) + + optional_policy(` + systemd_user_app_status($1, cryfs_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 0013d0b07..64972d219 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1226,7 +1226,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cryfs_role(sysadm_r, sysadm_t) + cryfs_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(`