Overview

File 8e3800ad74f1b7784aeae76b792a7dbf3a5ad753.patch of Package selinux-policy

commit 8e3800ad74f1b7784aeae76b792a7dbf3a5ad753
Author: Johannes Segitz <jsegitz@suse.de>
Date:   Mon Dec 2 17:41:09 2024 +0100

    introduce unconfined_service_transition_to_confined_user boolean
    
    unconfined_service_transition_to_confined_user allows
    unconfined_service_t to transition to unconfined_t. Usually you don't
    want this, but in cases where you spawn user sessions from unfined
    services it can be necessary (bsc#1233738)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 61a73c760..e7ca9504e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -11,6 +11,13 @@ require {
 #
 attribute unconfined_services;
 
+## <desc>
+## <p>
+## allow unconfined_service_t transition to the unconfined user domain
+## </p>
+## </desc>
+gen_tunable(unconfined_service_transition_to_confined_user, false)
+
 type unconfined_service_t;
 domain_type(unconfined_service_t)
 role system_r types unconfined_service_t;
@@ -57,3 +64,9 @@ optional_policy(`
 optional_policy(`
     gpg_manage_admin_home_content(unconfined_service_t)
 ')
+
+optional_policy(`
+	tunable_policy(`unconfined_service_transition_to_confined_user',`
+		unconfined_domtrans(unconfined_service_t)
+	')
+')
openSUSE Build Service is sponsored by
Places