commit: f8e43b61c56e5b79784c73c58548143056bee6b5 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Sun Aug 8 16:53:48 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Nov 20 22:58:24 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8e43b61
shutdown, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/admin/shutdown.if | 29 ++++++++++++++++++++++------- policy/modules/roles/sysadm.te | 2 +- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if index 05eb8c89..2a428398 100644 --- a/policy/modules/admin/shutdown.if +++ b/policy/modules/admin/shutdown.if @@ -4,26 +4,41 @@ ## <summary> ## Role access for shutdown. ## </summary> -## <param name="role"> +## <param name="role_prefix"> ## <summary> -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## </summary> ## </param> -## <param name="domain"> +## <param name="user_domain"> ## <summary> ## User domain for the role. ## </summary> ## </param> +## <param name="user_exec_domain"> +## <summary> +## User exec domain for execute and transition access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> # -interface(`shutdown_role',` +template(`shutdown_role',` gen_require(` type shutdown_t; ') - shutdown_run($2, $1) + shutdown_run($3, $4) + + allow $3 shutdown_t:process { ptrace signal_perms }; + ps_process_pattern($3, shutdown_t) - allow $2 shutdown_t:process { ptrace signal_perms }; - ps_process_pattern($2, shutdown_t) + optional_policy(` + systemd_user_app_status($1, shutdown_t) + ') ') ######################################## diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 7774ec0a..44b80516 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -959,7 +959,7 @@ optional_policy(` ') optional_policy(` - shutdown_role(sysadm_r, sysadm_t) + shutdown_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(`