packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch
lujie54 3c7c076926 backport upstream patches
2022-09-05 10:17:25 +08:00

75 lines
2.1 KiB
Diff
Raw Blame History

From 8879c209b0916931aab95d733fc7f4b52b99258b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 22 Dec 2021 13:06:33 +0100
Subject: [PATCH] Allow sysadm execute sysadmctl in sysadm_t domain using sudo
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8879c209b0916931aab95d733fc7f4b52b99258b
Conflict: NA
When an unprivileged user in the sysadm_r role executes systemctl
through sudo, it transitions into sysadm_sudo_t domain by default.
With this commit, the process transitions back to sysadm_t.
The systemd_domtrans_systemctl() interface was added.
Resolves: rhbz#2013749
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/sudo.if | 5 +++++
policy/modules/system/systemd.if | 23 +++++++++++++++++++++++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index f6df896..24ede58 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -101,6 +101,11 @@ template(`sudo_role_template',`
')
optional_policy(`
+ systemd_domtrans_systemctl($1_sudo_t, $3)
+ systemd_systemctl_entrypoint($3)
+ ')
+
+ optional_policy(`
userdom_write_user_tmp_sockets($1_sudo_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index ec58e33..351438c 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -128,6 +128,29 @@ interface(`systemd_systemctl_entrypoint',`
#######################################
## <summary>
+## Execute systemctl in the specified domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`systemd_domtrans_systemctl',`
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_systemctl_exec_t, $2)
+')
+
+#######################################
+## <summary>
## Create a file type used for systemd unit files.
## </summary>
## <param name="script_file">
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink