From 8879c209b0916931aab95d733fc7f4b52b99258b Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 22 Dec 2021 13:06:33 +0100 Subject: [PATCH] Allow sysadm execute sysadmctl in sysadm_t domain using sudo Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8879c209b0916931aab95d733fc7f4b52b99258b Conflict: NA When an unprivileged user in the sysadm_r role executes systemctl through sudo, it transitions into sysadm_sudo_t domain by default. With this commit, the process transitions back to sysadm_t. The systemd_domtrans_systemctl() interface was added. Resolves: rhbz#2013749 Signed-off-by: lujie54 --- policy/modules/admin/sudo.if | 5 +++++ policy/modules/system/systemd.if | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index f6df896..24ede58 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -101,6 +101,11 @@ template(`sudo_role_template',` ') optional_policy(` + systemd_domtrans_systemctl($1_sudo_t, $3) + systemd_systemctl_entrypoint($3) + ') + + optional_policy(` userdom_write_user_tmp_sockets($1_sudo_t) ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index ec58e33..351438c 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -128,6 +128,29 @@ interface(`systemd_systemctl_entrypoint',` ####################################### ## +## Execute systemctl in the specified domain +## +## +## +## Domain allowed access. +## +## +## +## +## Domain to transition to. +## +## +# +interface(`systemd_domtrans_systemctl',` + gen_require(` + type systemd_systemctl_exec_t; + ') + + domain_auto_transition_pattern($1, systemd_systemctl_exec_t, $2) +') + +####################################### +## ## Create a file type used for systemd unit files. ## ## -- 1.8.3.1