From 9eec9eea6b6b74d8835928c32467f6edd749ff0e Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Fri, 4 Feb 2022 12:04:16 +0100
Subject: [PATCH] Allow confined sysadmin to use tool vipw

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9eec9eea6b6b74d8835928c32467f6edd749ff0e
Conflict: NA

Allow confined sysadmin to use vipw and vigr, which edits passwd,
shadow, group, gshadow.. Dontaudit manage files and dir labeled
with admin_home_t. Also vipw need to use sss_cache tool.
Allow domain transition from sysadm_passwd_t to sssd_exec_t.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2049018
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/admin/usermanage.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a67fcc4..8fdbfbc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -501,6 +501,8 @@ init_dontaudit_rw_utmp(sysadm_passwd_t)
 logging_send_syslog_msg(sysadm_passwd_t)
 
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
+userdom_dontaudit_manage_admin_dir(sysadm_passwd_t)
+userdom_dontaudit_manage_admin_files(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
@@ -509,6 +511,10 @@ optional_policy(`
 	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
 ')
 
+optional_policy(`
+	sssd_domtrans(sysadm_passwd_t)
+')
+
 ########################################
 #
 # Useradd local policy
-- 
1.8.3.1