diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 29bce30e9..d470ec09c 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -99,7 +99,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - dirmngr_role(staff_r, staff_t) + dirmngr_role(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 1040350c9..c9bde465b 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - dirmngr_role(sysadm_r, sysadm_t) + dirmngr_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 539d26333..bc3c78c1d 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -63,7 +63,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - dirmngr_role(user_r, user_t) + dirmngr_role(user, user_t, user_application_exec_domain, user_r) ') optional_policy(` diff --git a/policy/modules/services/dirmngr.if b/policy/modules/services/dirmngr.if index e900973b9..ffec746a9 100644 --- a/policy/modules/services/dirmngr.if +++ b/policy/modules/services/dirmngr.if @@ -4,34 +4,49 @@ ## ## Role access for dirmngr. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`dirmngr_role',` +template(`dirmngr_role',` gen_require(` type dirmngr_t, dirmngr_exec_t; type dirmngr_tmp_t; ') - role $1 types dirmngr_t; + role $4 types dirmngr_t; - domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + domtrans_pattern($3, dirmngr_exec_t, dirmngr_t) - allow $2 dirmngr_t:process { ptrace signal_perms }; - ps_process_pattern($2, dirmngr_t) + allow $3 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($3, dirmngr_t) - allow dirmngr_t $2:fd use; - allow dirmngr_t $2:fifo_file rw_inherited_fifo_file_perms; + allow dirmngr_t $3:fd use; + allow dirmngr_t $3:fifo_file rw_inherited_fifo_file_perms; allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + optional_policy(` + systemd_user_app_status($1, dirmngr_t) + ') ') ########################################