diff options
-rw-r--r-- | policy/modules/admin/su.if | 24 | ||||
-rw-r--r-- | policy/modules/admin/su.te | 1 | ||||
-rw-r--r-- | policy/modules/admin/sudo.if | 4 |
3 files changed, 27 insertions, 2 deletions
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a3859ab40..528104a9c 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -31,9 +31,10 @@ template(`su_restricted_domain_template', ` gen_require(` type su_exec_t; + attribute sudomain; ') - type $1_su_t; + type $1_su_t, sudomain; domain_entry_file($1_su_t, su_exec_t) domain_type($1_su_t) domain_interactive_fd($1_su_t) @@ -154,9 +155,10 @@ template(`su_restricted_domain_template', ` template(`su_role_template',` gen_require(` type su_exec_t; + attribute sudomain; ') - type $1_su_t; + type $1_su_t, sudomain; userdom_user_application_domain($1_su_t, su_exec_t) domain_interactive_fd($1_su_t) role $4 types $1_su_t; @@ -319,3 +321,21 @@ interface(`su_exec',` corecmd_search_bin($1) can_exec($1, su_exec_t) ') + +####################################### +## <summary> +## Send signals to all su domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`su_signal_all',` + gen_require(` + attribute sudomain; + ') + + allow $1 sudomain:process signal; +') diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 662f18629..721387ce4 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false) # # Declarations # +attribute sudomain; type su_exec_t; corecmd_executable_file(su_exec_t) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d70f83eee..1e51044df 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -215,6 +215,10 @@ template(`sudo_role_template',` fprintd_dbus_chat($1_sudo_t) ') + optional_policy(` + su_signal_all($1_sudo_t) + ') + ifdef(`distro_gentoo',` # Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too dev_dontaudit_getattr_all_blk_files($1_sudo_t) |