File 76a28a62c0614e5fd36bf5772496f370781949e0.patch of Package selinux-policy
commit 76a28a62c0614e5fd36bf5772496f370781949e0
Author: Johannes Segitz <jsegitz@suse.de>
Date: Wed Dec 4 17:01:33 2024 +0100
- introduce unconfined_service_transition_to_confined_user boolean
unconfined_service_transition_to_confined_user allows
unconfined_service_t to transition to unconfined_t. Usually you don't
want this, but in cases where you spawn user sessions from unfined
services it can be necessary (bsc#1233738)
diff --git a/dist/minimum/booleans.conf b/dist/minimum/booleans.conf
index 22a2374ef..8bd2675af 100644
--- a/dist/minimum/booleans.conf
+++ b/dist/minimum/booleans.conf
@@ -246,3 +246,6 @@ init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
+
+# Allows unconfined_service_t to transition to unconfined_t
+unconfined_service_transition_to_confined_user = false
diff --git a/dist/targeted/booleans.conf b/dist/targeted/booleans.conf
index e0a5fca4d..48967a7c3 100644
--- a/dist/targeted/booleans.conf
+++ b/dist/targeted/booleans.conf
@@ -57,3 +57,4 @@ use_samba_home_dirs = false
xguest_exec_content = false
xserver_execmem = false
zebra_write_config = false
+unconfined_service_transition_to_confined_user = false
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 61a73c760..c0ebe4feb 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -11,6 +11,13 @@ require {
#
attribute unconfined_services;
+## <desc>
+## <p>
+## allow unconfined_service_t transition to the unconfined user domain
+## </p>
+## </desc>
+gen_tunable(unconfined_service_transition_to_confined_user, false)
+
type unconfined_service_t;
domain_type(unconfined_service_t)
role system_r types unconfined_service_t;
@@ -57,3 +64,9 @@ optional_policy(`
optional_policy(`
gpg_manage_admin_home_content(unconfined_service_t)
')
+
+optional_policy(`
+ tunable_policy(`unconfined_service_transition_to_confined_user',`
+ unconfined_domtrans(unconfined_service_t)
+ ')
+')
