diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 29bce30e9..d470ec09c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -99,7 +99,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- dirmngr_role(staff_r, staff_t)
+ dirmngr_role(staff, staff_t, staff_application_exec_domain, staff_r)
')
optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1040350c9..c9bde465b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- dirmngr_role(sysadm_r, sysadm_t)
+ dirmngr_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 539d26333..bc3c78c1d 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -63,7 +63,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- dirmngr_role(user_r, user_t)
+ dirmngr_role(user, user_t, user_application_exec_domain, user_r)
')
optional_policy(`
diff --git a/policy/modules/services/dirmngr.if b/policy/modules/services/dirmngr.if
index e900973b9..ffec746a9 100644
--- a/policy/modules/services/dirmngr.if
+++ b/policy/modules/services/dirmngr.if
@@ -4,34 +4,49 @@
##
## Role access for dirmngr.
##
-##
+##
##
-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
## User domain for the role.
##
##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
+##
+##
+## Role allowed access
+##
+##
#
-interface(`dirmngr_role',`
+template(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
type dirmngr_tmp_t;
')
- role $1 types dirmngr_t;
+ role $4 types dirmngr_t;
- domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+ domtrans_pattern($3, dirmngr_exec_t, dirmngr_t)
- allow $2 dirmngr_t:process { ptrace signal_perms };
- ps_process_pattern($2, dirmngr_t)
+ allow $3 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($3, dirmngr_t)
- allow dirmngr_t $2:fd use;
- allow dirmngr_t $2:fifo_file rw_inherited_fifo_file_perms;
+ allow dirmngr_t $3:fd use;
+ allow dirmngr_t $3:fifo_file rw_inherited_fifo_file_perms;
allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ optional_policy(`
+ systemd_user_app_status($1, dirmngr_t)
+ ')
')
########################################