dpkg: domaintrans to sysusers if necessary

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-30 15:13:22 +02:00 · 2020-05-30 15:13:22 +02:00 · fc904634ac
commit fc904634ac
parent 8f782ae820
3 changed files with 49 additions and 0 deletions
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@ -334,6 +334,7 @@ optional_policy(`
 optional_policy(`
 	systemd_read_logind_state(dpkg_script_t)
 	systemd_dbus_chat_logind(dpkg_script_t)
+	systemd_run_sysusers(dpkg_script_t, dpkg_roles)
 ')

 optional_policy(`
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -1126,3 +1126,48 @@ interface(`systemd_write_all_user_keys',`

 	allow $1 systemd_user_session_type:key write;
 ')
+
+########################################
+## <summary>
+##  Execute systemd-sysusers in the
+##  systemd sysusers domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_domtrans_sysusers', `
+	gen_require(`
+		type systemd_sysusers_t, systemd_sysusers_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, systemd_sysusers_exec_t, systemd_sysusers_t)
+')
+
+########################################
+## <summary>
+##  Run systemd-sysusers with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_run_sysusers', `
+	gen_require(`
+		attribute_role systemd_sysusers_roles;
+	')
+
+	systemd_domtrans_sysusers($1)
+	roleattribute $2 systemd_sysusers_roles;
+')
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -34,6 +34,8 @@ attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;

+attribute_role systemd_sysusers_roles;
+
 type systemd_activate_t;
 type systemd_activate_exec_t;
 init_system_domain(systemd_activate_t, systemd_activate_exec_t)
@ -226,6 +228,7 @@ init_daemon_pid_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
+role systemd_sysusers_roles types systemd_sysusers_t;

 type systemd_tmpfiles_t;
 type systemd_tmpfiles_exec_t;