3 files changed, 27 insertions, 2 deletions

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a3859ab40..528104a9c 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -31,9 +31,10 @@
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')
 
-	type $1_su_t;
+	type $1_su_t, sudomain;
 	domain_entry_file($1_su_t, su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
@@ -154,9 +155,10 @@ template(`su_restricted_domain_template', `
 template(`su_role_template',`
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')
 
-	type $1_su_t;
+	type $1_su_t, sudomain;
 	userdom_user_application_domain($1_su_t, su_exec_t)
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
@@ -319,3 +321,21 @@ interface(`su_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, su_exec_t)
 ')
+
+#######################################
+## <summary>
+##	Send signals to all su domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_signal_all',`
+	gen_require(`
+		attribute sudomain;
+	')
+
+	allow $1 sudomain:process signal;
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 662f18629..721387ce4 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false)
 #
 # Declarations
 #
+attribute sudomain;
 
 type su_exec_t;
 corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d70f83eee..1e51044df 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -215,6 +215,10 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	optional_policy(`
+		su_signal_all($1_sudo_t)
+	')
+
 	ifdef(`distro_gentoo',`
 		# Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too
 		dev_dontaudit_getattr_all_blk_files($1_sudo_t)