File kandim.patch of Package selinux-policy

Index: selinux-policy-20240531/policy/modules/contrib/kanidm_unixd.if
===================================================================
--- selinux-policy-20240531.orig/policy/modules/contrib/kanidm_unixd.if
+++ selinux-policy-20240531/policy/modules/contrib/kanidm_unixd.if
@@ -115,3 +115,41 @@ interface(`kandim_kanidm_sshkeys_exec',`
 
         allow $1 kanidm_sshkeys_exec_t:file { exec_file_perms };
 ')
+
+########################################
+## <summary>
+##	Execute kanidm_sshkeys in the dedicated domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kandim_kanidm_sshkeys_transition',`
+        gen_require(`
+                type kanidm_sshkeys_exec_t, kanidm_sshkeys_t;
+                type kanidm_sshkeys_direct_exec_t, kanidm_sshkeys_direct_t;
+        ')
+
+        domtrans_pattern($1, kanidm_sshkeys_exec_t, kanidm_sshkeys_t)
+        domtrans_pattern($1, kanidm_sshkeys_direct_exec_t, kanidm_sshkeys_direct_t)
+')
+
+########################################
+## <summary>
+##	Execute kanidm_unix in the dedicated domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kandim_unix_transition',`
+        gen_require(`
+                type kanidm_unix_exec_t, kanidm_unix_t;
+        ')
+
+        domtrans_pattern($1, kanidm_unix_exec_t, kanidm_unix_t)
+')
Index: selinux-policy-20240531/policy/modules/contrib/kanidm_unixd.te
===================================================================
--- selinux-policy-20240531.orig/policy/modules/contrib/kanidm_unixd.te
+++ selinux-policy-20240531/policy/modules/contrib/kanidm_unixd.te
@@ -181,12 +181,12 @@ files_read_var_lib_files(kanidm_sshkeys_
 #============= sshd_t ==============
 # Allow sshd_t to call the ssh authorised keys binary for execution, while ensuring that the context
 # of the ssh key binary is isolated separate to sshd
-domtrans_pattern(sshd_t, kanidm_sshkeys_exec_t, kanidm_sshkeys_t)
-domtrans_pattern(sshd_t, kanidm_sshkeys_direct_exec_t, kanidm_sshkeys_direct_t)
+#domtrans_pattern(sshd_t, kanidm_sshkeys_exec_t, kanidm_sshkeys_t)
+#domtrans_pattern(sshd_t, kanidm_sshkeys_direct_exec_t, kanidm_sshkeys_direct_t)
 
 #============= unconfined_t ==============
 # Allow unconfined users to call the various CLI tools, while forcing them into a confined state.
-domtrans_pattern(unconfined_t, kanidm_unix_exec_t, kanidm_unix_t)
-domtrans_pattern(unconfined_t, kanidm_sshkeys_exec_t, kanidm_sshkeys_t)
-domtrans_pattern(unconfined_t, kanidm_sshkeys_direct_exec_t, kanidm_sshkeys_direct_t)
+#domtrans_pattern(unconfined_t, kanidm_unix_exec_t, kanidm_unix_t)
+#domtrans_pattern(unconfined_t, kanidm_sshkeys_exec_t, kanidm_sshkeys_t)
+#domtrans_pattern(unconfined_t, kanidm_sshkeys_direct_exec_t, kanidm_sshkeys_direct_t)
 
Index: selinux-policy-20240531/policy/modules/roles/unconfineduser.te
===================================================================
--- selinux-policy-20240531.orig/policy/modules/roles/unconfineduser.te
+++ selinux-policy-20240531/policy/modules/roles/unconfineduser.te
@@ -140,6 +140,11 @@ optional_policy(`
 		abrt_run_helper(unconfined_t, unconfined_r)
 	')
 
+#optional_policy(`
+#kandim_kanidm_sshkeys_transition(unconfined_t)
+#kandim_unix_transition(unconfined_t)
+#')
+
 	optional_policy(`
 		avahi_dbus_chat(unconfined_t)
 	')
Index: selinux-policy-20240531/policy/modules/services/ssh.te
===================================================================
--- selinux-policy-20240531.orig/policy/modules/services/ssh.te
+++ selinux-policy-20240531/policy/modules/services/ssh.te
@@ -359,6 +359,10 @@ tunable_policy(`ssh_sysadm_login',`
 ')
 
 optional_policy(`
+	kandim_kanidm_sshkeys_transition(sshd_t)
+')
+
+optional_policy(`
 	amanda_search_var_lib(sshd_t)
 ')
Places

File kandim.patch of Package selinux-policy

Places
