dirmngr, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge
parent
95cf374eee
commit
8875024efc
|
|
@ -99,7 +99,7 @@ ifndef(`distro_redhat',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
dirmngr_role(staff_r, staff_t)
|
||||
dirmngr_role(staff, staff_t, staff_application_exec_domain, staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
dirmngr_role(sysadm_r, sysadm_t)
|
||||
dirmngr_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@ ifndef(`distro_redhat',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
dirmngr_role(user_r, user_t)
|
||||
dirmngr_role(user, user_t, user_application_exec_domain, user_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -4,34 +4,49 @@
|
|||
## <summary>
|
||||
## Role access for dirmngr.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## User domain for the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_exec_domain">
|
||||
## <summary>
|
||||
## User exec domain for execute and transition access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dirmngr_role',`
|
||||
template(`dirmngr_role',`
|
||||
gen_require(`
|
||||
type dirmngr_t, dirmngr_exec_t;
|
||||
type dirmngr_tmp_t;
|
||||
')
|
||||
|
||||
role $1 types dirmngr_t;
|
||||
role $4 types dirmngr_t;
|
||||
|
||||
domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
|
||||
domtrans_pattern($3, dirmngr_exec_t, dirmngr_t)
|
||||
|
||||
allow $2 dirmngr_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($2, dirmngr_t)
|
||||
allow $3 dirmngr_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($3, dirmngr_t)
|
||||
|
||||
allow dirmngr_t $2:fd use;
|
||||
allow dirmngr_t $2:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow dirmngr_t $3:fd use;
|
||||
allow dirmngr_t $3:fifo_file rw_inherited_fifo_file_perms;
|
||||
|
||||
allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
|
||||
optional_policy(`
|
||||
systemd_user_app_status($1, dirmngr_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue