|
 |
70e052 |
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
|
|
70e052 |
index b6debf340..329eb3922 100644
|
|
|
70e052 |
--- a/policy/modules/admin/sudo.if
|
|
|
70e052 |
+++ b/policy/modules/admin/sudo.if
|
|
|
70e052 |
@@ -55,6 +55,7 @@ template(`sudo_role_template',`
|
|
|
70e052 |
files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
|
|
|
70e052 |
|
|
|
70e052 |
allow $1_sudo_t $3:dir search_dir_perms;;
|
|
|
70e052 |
+ allow $1_sudo_t $3:file read_file_perms;;
|
|
|
70e052 |
allow $1_sudo_t $3:key search;
|
|
|
70e052 |
|
|
|
70e052 |
# Enter this derived domain from the user domain
|
|
|
a5bc36 |
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
|
|
a5bc36 |
index 5c11b48e1..ef069d779 100644
|
|
|
a5bc36 |
--- a/policy/modules/admin/sudo.te
|
|
|
a5bc36 |
+++ b/policy/modules/admin/sudo.te
|
|
|
a5bc36 |
@@ -119,6 +119,10 @@ optional_policy(`
|
|
|
a5bc36 |
')
|
|
|
a5bc36 |
')
|
|
|
a5bc36 |
|
|
|
a5bc36 |
+optional_policy(`
|
|
|
a5bc36 |
+ systemd_write_inherited_logind_sessions_pipes(sudodomain)
|
|
|
a5bc36 |
+')
|
|
|
a5bc36 |
+
|
|
|
a5bc36 |
optional_policy(`
|
|
|
a5bc36 |
fprintd_dbus_chat(sudodomain)
|
|
|
a5bc36 |
')
|
|
|
304846 |
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
|
|
304846 |
index 5fa83a2fb..34fd0b0f1 100644
|
|
|
304846 |
--- a/policy/modules/kernel/domain.if
|
|
|
304846 |
+++ b/policy/modules/kernel/domain.if
|
|
|
304846 |
@@ -602,6 +602,42 @@ interface(`domain_search_all_domains_state',`
|
|
|
304846 |
allow $1 domain:dir search_dir_perms;
|
|
|
304846 |
')
|
|
|
304846 |
|
|
|
304846 |
+########################################
|
|
|
304846 |
+## <summary>
|
|
|
304846 |
+## Allow read and write of process kernel keyrings
|
|
|
304846 |
+## </summary>
|
|
|
304846 |
+## <param name="domain">
|
|
|
304846 |
+## <summary>
|
|
|
304846 |
+## Domain to dontaudit.
|
|
|
304846 |
+## </summary>
|
|
|
304846 |
+## </param>
|
|
|
304846 |
+#
|
|
|
304846 |
+interface(`domain_rw_all_domains_keyrings',`
|
|
|
304846 |
+ gen_require(`
|
|
|
304846 |
+ attribute domain;
|
|
|
304846 |
+ ')
|
|
|
304846 |
+
|
|
|
304846 |
+ allow $1 domain:key { read write};
|
|
|
304846 |
+')
|
|
|
304846 |
+
|
|
|
304846 |
+########################################
|
|
|
304846 |
+## <summary>
|
|
|
304846 |
+## Allow manage of process kernel keyrings
|
|
|
304846 |
+## </summary>
|
|
|
304846 |
+## <param name="domain">
|
|
|
304846 |
+## <summary>
|
|
|
304846 |
+## Domain to dontaudit.
|
|
|
304846 |
+## </summary>
|
|
|
304846 |
+## </param>
|
|
|
304846 |
+#
|
|
|
304846 |
+interface(`domain_manage_all_domains_keyrings',`
|
|
|
304846 |
+ gen_require(`
|
|
|
304846 |
+ attribute domain;
|
|
|
304846 |
+ ')
|
|
|
304846 |
+
|
|
|
304846 |
+ allow $1 domain:key manage_key_perms;
|
|
|
304846 |
+')
|
|
|
304846 |
+
|
|
|
304846 |
########################################
|
|
|
304846 |
## <summary>
|
|
|
304846 |
## Do not audit attempts to search the process
|
|
|
70e052 |
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
|
|
|
70e052 |
index c03a52c04..8569b19db 100644
|
|
|
70e052 |
--- a/policy/modules/roles/staff.te
|
|
|
70e052 |
+++ b/policy/modules/roles/staff.te
|
|
|
70e052 |
@@ -55,6 +55,7 @@ storage_read_scsi_generic(staff_t)
|
|
|
70e052 |
storage_write_scsi_generic(staff_t)
|
|
|
70e052 |
|
|
|
70e052 |
term_use_unallocated_ttys(staff_t)
|
|
|
70e052 |
+term_use_generic_ptys(staff_t)
|
|
|
70e052 |
|
|
|
70e052 |
auth_domtrans_pam_console(staff_t)
|
|
|
70e052 |
|
|
|
b110d1 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
|
|
b110d1 |
index 8f75416ce..d5f2f5b4a 100644
|
|
|
b110d1 |
--- a/policy/modules/system/systemd.if
|
|
|
b110d1 |
+++ b/policy/modules/system/systemd.if
|
|
|
b110d1 |
@@ -351,6 +351,26 @@ interface(`systemd_use_fds_logind',`
|
|
|
b110d1 |
allow $1 systemd_logind_t:fd use;
|
|
|
b110d1 |
')
|
|
|
b110d1 |
|
|
|
b110d1 |
+########################################
|
|
|
b110d1 |
+## <summary>
|
|
|
b110d1 |
+## Read the process state (/proc/pid) of systemd_logind_t.
|
|
|
b110d1 |
+## </summary>
|
|
|
b110d1 |
+## <param name="domain">
|
|
|
b110d1 |
+## <summary>
|
|
|
b110d1 |
+## Domain allowed access.
|
|
|
b110d1 |
+## </summary>
|
|
|
b110d1 |
+## </param>
|
|
|
b110d1 |
+#
|
|
|
b110d1 |
+interface(`systemd_logind_read_state',`
|
|
|
b110d1 |
+ gen_require(`
|
|
|
b110d1 |
+ type systemd_logind_t;
|
|
|
b110d1 |
+ ')
|
|
|
b110d1 |
+
|
|
|
b110d1 |
+ allow $1 systemd_logind_t:dir search_dir_perms;
|
|
|
b110d1 |
+ allow $1 systemd_logind_t:file read_file_perms;
|
|
|
b110d1 |
+ allow $1 systemd_logind_t:lnk_file read_lnk_file_perms;
|
|
|
b110d1 |
+')
|
|
|
b110d1 |
+
|
|
|
b110d1 |
######################################
|
|
|
b110d1 |
## <summary>
|
|
|
b110d1 |
## Read logind sessions files.
|
|
|
70e052 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
|
|
70e052 |
index cceb511fc..f5139efd2 100644
|
|
|
70e052 |
--- a/policy/modules/system/userdomain.te
|
|
|
70e052 |
+++ b/policy/modules/system/userdomain.te
|
|
|
70e052 |
@@ -381,6 +381,7 @@ dontaudit confined_admindomain self:socket create;
|
|
|
70e052 |
|
|
|
70e052 |
allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
|
|
|
70e052 |
term_create_pty(confined_admindomain, user_devpts_t)
|
|
|
70e052 |
+term_use_generic_ptys(confined_admindomain)
|
|
|
70e052 |
# avoid annoying messages on terminal hangup on role change
|
|
|
70e052 |
dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
|
|
|
70e052 |
|