From ab30d358825c2e557afdc2aed9de52f7ad2c4fbf Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 8 Aug 2021 11:46:07 -0400
Subject: [PATCH] evolution, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/apps/evolution.if   | 61 ++++++++++++++++++++----------
 policy/modules/roles/staff.te      |  2 +-
 policy/modules/roles/sysadm.te     |  2 +-
 policy/modules/roles/unprivuser.te |  2 +-
 4 files changed, 43 insertions(+), 24 deletions(-)

diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 03a093751..47de66a07 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##	Role access for evolution.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`evolution_role',`
+template(`evolution_role',`
 	gen_require(`
 		attribute_role evolution_roles;
 		type evolution_t, evolution_exec_t, evolution_home_t;
@@ -27,21 +38,21 @@ interface(`evolution_role',`
 		type evolution_tmpfs_t, evolution_webcal_tmpfs_t;
 	')
 
-	roleattribute $1 evolution_roles;
+	roleattribute $4 evolution_roles;
 
-	domtrans_pattern($2, evolution_exec_t, evolution_t)
-	domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
-	domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
-	domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
-	domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+	domtrans_pattern($3, evolution_exec_t, evolution_t)
+	domtrans_pattern($3, evolution_alarm_exec_t, evolution_alarm_t)
+	domtrans_pattern($3, evolution_exchange_exec_t, evolution_exchange_t)
+	domtrans_pattern($3, evolution_server_exec_t, evolution_server_t)
+	domtrans_pattern($3, evolution_webcal_exec_t, evolution_webcal_t)
 
-	allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms };
-	ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t })
-	ps_process_pattern($2, { evolution_server_t evolution_webcal_t })
+	allow $3 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms };
+	ps_process_pattern($3, { evolution_t evolution_alarm_t evolution_exchange_t })
+	ps_process_pattern($3, { evolution_server_t evolution_webcal_t })
 
-	allow evolution_t $2:dir search_dir_perms;
-	allow evolution_t $2:file read_file_perms;
-	allow evolution_t $2:lnk_file read_lnk_file_perms;
+	allow evolution_t $3:dir search_dir_perms;
+	allow evolution_t $3:file read_file_perms;
+	allow evolution_t $3:lnk_file read_lnk_file_perms;
 
 	allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms };
 	allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms };
@@ -59,14 +70,22 @@ interface(`evolution_role',`
 	allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 	allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 
-	allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto;
+	allow { evolution_t evolution_exchange_t } $3:unix_stream_socket connectto;
 
-	stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
-	stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
+	stream_connect_pattern($3, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
+	stream_connect_pattern($3, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
 
 	optional_policy(`
-		evolution_dbus_chat($2)
-		evolution_alarm_dbus_chat($2)
+		evolution_dbus_chat($3)
+		evolution_alarm_dbus_chat($3)
+	')
+
+	optional_policy(`
+		systemd_user_app_status($1, evolution_t)
+		systemd_user_app_status($1, evolution_alarm_t)
+		systemd_user_app_status($1, evolution_exchange_t)
+		systemd_user_app_status($1, evolution_server_t)
+		systemd_user_app_status($1, evolution_webcal_t)
 	')
 ')
 
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index d470ec09c..f044b48a4 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -103,7 +103,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		evolution_role(staff_r, staff_t)
+		evolution_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c9bde465b..d1d8d20b8 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1234,7 +1234,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		evolution_role(sysadm_r, sysadm_t)
+		evolution_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index bc3c78c1d..2c6b98a81 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -67,7 +67,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		evolution_role(user_r, user_t)
+		evolution_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`