Hookup attribute for user applications to run other applications #412
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0xC0ncord
changed the title
pebenito
requested changes
Oct 13, 2021
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
The tunable 'sudo_allow_user_exec_domains' only allows user domains themselves to use sudo if disabled (default), otherwise any domain with the corresponding user exec domain attribute may use sudo. Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
Split `pulseaudio_domtrans()` into two interfaces: one that grants transition access and the other the `pulseaudio_client` attribute. This fixes a build error because calls to `pulseaudio_domtrans()` by the role would associate the client attribute with the user exec domain attribute. Signed-off-by: Kenton Groombridge <me@concord.sh>
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps-hookup
branch
from
cd47224
to
c7e4c1d
Compare
|
From the source diff it seems ok, but I noticed something concerning from sediff: These are all additions. |
It seems that most of these new rules are to I'm not sure what the use case is for xguest having the ability to run httpd user scripts. If you think we should lock this down, I can add a template for httpd user script guest access, or we can remove this call altogether: https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/roles/xguest.te#L89 |
|
Let's remove the access. I don't see a need for a guest to have apache access. If there is a good reason found in the future, we can reconsider. |
Signed-off-by: Kenton Groombridge <me@concord.sh>
|
OK. I added another commit to remove |
pebenito
approved these changes
Nov 14, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the second part of the effort previously started in #381.
This PR modifies the calls to every
_role()and_role_template()to use the new$1_application_exec_domainwhere appropriate, while still standardizing these role calls to use this format:myapp_role[_template](user, user_t, user_application_exec_domain, user_r). This PR does not touch any role interfaces that do not have any callers.$1_application_exec_domainonly gets permissions needed to execute and transition to other applications, as well as usingstream_connect()on them if it was previously given to userdomains.$1_application_exec_domaindoes not get access to read or modify application data explicitly.Additionally,
$1_systemd_tgets the permissions needed to monitor applications started by users in order to capture output tojournald, check their state, and so on.Lastly,
sudo,su, andshutdownget a new tunable (default off) to control whether$1_application_exec_domainshould have access to execute these administrative applications.Fixes #365