shutdown: add tunable to control user exec domain access

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/admin/shutdown.if

@@ -28,13 +28,23 @@
 #
 template(`shutdown_role',`
 	gen_require(`
+		attribute_role shutdown_roles;
 		type shutdown_t;
 	')
 
-	shutdown_run($3, $4)
+	roleattribute $4 shutdown_roles;
 
-	allow $3 shutdown_t:process { ptrace signal_perms };
-	ps_process_pattern($3, shutdown_t)
+	tunable_policy(`shutdown_allow_user_exec_domains',`
+		shutdown_domtrans($3)
+
+		allow $3 shutdown_t:process { ptrace signal_perms };
+		ps_process_pattern($3, shutdown_t)
+	',`
+		shutdown_domtrans($2)
+
+		allow $2 shutdown_t:process { ptrace signal_perms };
+		ps_process_pattern($2, shutdown_t)
+	')
 
 	optional_policy(`
 		systemd_user_app_status($1, shutdown_t)

policy/modules/admin/shutdown.te

@@ -1,5 +1,15 @@
 policy_module(shutdown, 1.7.0)
 
+## <desc>
+##	<p>
+##	Determine whether the user application exec
+##	domain attribute should be respected for
+##	shutdown access. If not enabled, only user
+##	domains themselves may use shutdown.
+##	</p>
+## </desc>
+gen_tunable(shutdown_allow_user_exec_domains, false)
+
 ########################################
 #
 # Declarations