[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/
@ 2021-11-21  3:00 Jason Zaman
  0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2021-11-21  3:00 UTC (permalink / raw
  To: gentoo-commits

commit:     f8e43b61c56e5b79784c73c58548143056bee6b5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug  8 16:53:48 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8e43b61

shutdown, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/shutdown.if | 29 ++++++++++++++++++++++-------
 policy/modules/roles/sysadm.te   |  2 +-
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index 05eb8c89..2a428398 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -4,26 +4,41 @@
 ## <summary>
 ##	Role access for shutdown.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`shutdown_role',`
+template(`shutdown_role',`
 	gen_require(`
 		type shutdown_t;
 	')
 
-	shutdown_run($2, $1)
+	shutdown_run($3, $4)
+
+	allow $3 shutdown_t:process { ptrace signal_perms };
+	ps_process_pattern($3, shutdown_t)
 
-	allow $2 shutdown_t:process { ptrace signal_perms };
-	ps_process_pattern($2, shutdown_t)
+	optional_policy(`
+		systemd_user_app_status($1, shutdown_t)
+	')
 ')
 
 ########################################

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7774ec0a..44b80516 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -959,7 +959,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	shutdown_role(sysadm_r, sysadm_t)
+	shutdown_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2021-11-21  3:00 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-21  3:00 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/ Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox