From b7980a45fce1d32703d7e37bc3f76c22f95cb6c8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 8 Aug 2021 11:57:02 -0400
Subject: [PATCH] irc, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/apps/irc.if         | 31 ++++++++++++++++++++++--------
 policy/modules/roles/staff.te      |  2 +-
 policy/modules/roles/sysadm.te     |  2 +-
 policy/modules/roles/unprivuser.te |  2 +-
 4 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index ac00fb0fb..8def4a257 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##	Role access for IRC.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`irc_role',`
+template(`irc_role',`
 	gen_require(`
 		attribute_role irc_roles;
 		type irc_t, irc_exec_t, irc_home_t;
@@ -27,17 +38,17 @@ interface(`irc_role',`
 	# Declarations
 	#
 
-	roleattribute $1 irc_roles;
+	roleattribute $4 irc_roles;
 
 	########################################
 	#
 	# Policy
 	#
 
-	domtrans_pattern($2, irc_exec_t, irc_t)
+	domtrans_pattern($3, irc_exec_t, irc_t)
 
-	ps_process_pattern($2, irc_t)
-	allow $2 irc_t:process { ptrace signal_perms };
+	ps_process_pattern($3, irc_t)
+	allow $3 irc_t:process { ptrace signal_perms };
 
 	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -45,4 +56,8 @@ interface(`irc_role',`
 	userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
 	userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
 	userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+
+	optional_policy(`
+		systemd_user_app_status($1, irc_t)
+	')
 ')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index e0454f8d4..c2c9edd6a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -119,7 +119,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		irc_role(staff_r, staff_t)
+		irc_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 366f27440..391b1d9c4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1250,7 +1250,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		irc_role(sysadm_r, sysadm_t)
+		irc_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index c1cf51e9d..448e6151f 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -87,7 +87,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		irc_role(user_r, user_t)
+		irc_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`