cryfs, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 24 insertions, 9 deletions

diff --git a/policy/modules/apps/cryfs.if b/policy/modules/apps/cryfs.if
index 300a00ad..d0bece91 100644
--- a/policy/modules/apps/cryfs.if
+++ b/policy/modules/apps/cryfs.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##	Role access for CryFS.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`cryfs_role',`
+template(`cryfs_role',`
 	gen_require(`
 		attribute_role cryfs_roles;
 		type cryfs_t, cryfs_exec_t;
@@ -26,15 +37,19 @@ interface(`cryfs_role',`
 	# Declarations
 	#
 
-	roleattribute $1 cryfs_roles;
+	roleattribute $4 cryfs_roles;
 
 	########################################
 	#
 	# Policy
 	#
 
-	domtrans_pattern($2, cryfs_exec_t, cryfs_t)
+	domtrans_pattern($3, cryfs_exec_t, cryfs_t)
 
-	allow $2 cryfs_t:process signal_perms;
-	ps_process_pattern($2, cryfs_t)
+	allow $3 cryfs_t:process signal_perms;
+	ps_process_pattern($3, cryfs_t)
+
+	optional_policy(`
+		systemd_user_app_status($1, cryfs_t)
+	')
 ')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 44b80516..d5d61098 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cryfs_role(sysadm_r, sysadm_t)
+		cryfs_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
 
 	optional_policy(`