From 7ba794a6a79af4241eb713c69366fa6dfa19039e Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 8 Aug 2021 12:47:11 -0400 Subject: [PATCH] wireshark, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge --- policy/modules/apps/wireshark.if | 31 ++++++++++++++++++++++-------- policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if index 9cad4afe6..e02aa734f 100644 --- a/policy/modules/apps/wireshark.if +++ b/policy/modules/apps/wireshark.if @@ -4,30 +4,41 @@ ## ## Role access for wireshark. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`wireshark_role',` +template(`wireshark_role',` gen_require(` attribute_role wireshark_roles; type wireshark_t, wireshark_exec_t, wireshark_home_t; type wireshark_tmp_t, wireshark_tmpfs_t; ') - roleattribute $1 wireshark_roles; + roleattribute $4 wireshark_roles; - domtrans_pattern($2, wireshark_exec_t, wireshark_t) + domtrans_pattern($3, wireshark_exec_t, wireshark_t) - allow $2 wireshark_t:process { ptrace signal_perms }; - ps_process_pattern($2, wireshark_t) + allow $3 wireshark_t:process { ptrace signal_perms }; + ps_process_pattern($3, wireshark_t) allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms }; @@ -35,6 +46,10 @@ interface(`wireshark_role',` allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark") + + optional_policy(` + systemd_user_app_status($1, wireshark_t) + ') ') ######################################## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index bb5325e31..4f17f9cd6 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -203,7 +203,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - wireshark_role(staff_r, staff_t) + wireshark_role(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index d81c87956..3c4f5b14c 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1172,7 +1172,7 @@ optional_policy(` ') optional_policy(` - wireshark_role(sysadm_r, sysadm_t) + wireshark_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index fb0b94637..dcd5bb413 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -187,7 +187,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - wireshark_role(user_r, user_t) + wireshark_role(user, user_t, user_application_exec_domain, user_r) ') optional_policy(`