diff options
author | Kenton Groombridge <me@concord.sh> | 2021-08-08 12:54:41 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-11-20 14:58:24 -0800 |
commit | 280eb10e71337401487dd51dc3cb9243b16be783 (patch) | |
tree | 7c900d893e12e3118c9161c57da9dedd580d4b9f | |
parent | shutdown, roles: use user exec domain attribute (diff) | |
download | hardened-refpolicy-280eb10e.tar.gz hardened-refpolicy-280eb10e.tar.bz2 hardened-refpolicy-280eb10e.zip |
cryfs, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/apps/cryfs.if | 31 | ||||
-rw-r--r-- | policy/modules/roles/sysadm.te | 2 |
2 files changed, 24 insertions, 9 deletions
diff --git a/policy/modules/apps/cryfs.if b/policy/modules/apps/cryfs.if index 300a00ad..d0bece91 100644 --- a/policy/modules/apps/cryfs.if +++ b/policy/modules/apps/cryfs.if @@ -4,18 +4,29 @@ ## <summary> ## Role access for CryFS. ## </summary> -## <param name="role"> +## <param name="role_prefix"> ## <summary> -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## </summary> ## </param> -## <param name="domain"> +## <param name="user_domain"> ## <summary> ## User domain for the role. ## </summary> ## </param> +## <param name="user_exec_domain"> +## <summary> +## User exec domain for execute and transition access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> # -interface(`cryfs_role',` +template(`cryfs_role',` gen_require(` attribute_role cryfs_roles; type cryfs_t, cryfs_exec_t; @@ -26,15 +37,19 @@ interface(`cryfs_role',` # Declarations # - roleattribute $1 cryfs_roles; + roleattribute $4 cryfs_roles; ######################################## # # Policy # - domtrans_pattern($2, cryfs_exec_t, cryfs_t) + domtrans_pattern($3, cryfs_exec_t, cryfs_t) - allow $2 cryfs_t:process signal_perms; - ps_process_pattern($2, cryfs_t) + allow $3 cryfs_t:process signal_perms; + ps_process_pattern($3, cryfs_t) + + optional_policy(` + systemd_user_app_status($1, cryfs_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 44b80516..d5d61098 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cryfs_role(sysadm_r, sysadm_t) + cryfs_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(` |