From e0b8c4de6fd6af6199f0210d9a2a46565379a4ee Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Fri, 26 May 2023 19:34:38 +0200 Subject: [PATCH] userdom_base_user_template: Define role corresponding to the new user The template creates a new SELinux user, but requires the corresponding role, meaning that the policy utilizing the interface needs to look as follos to work: role _r; userdom_base_user_template() This also breaks the policy generated by sepolicy generate --term_user -n Signed-off-by: Vit Mojzis --- policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index c8fa71c4a2..ff4f28504b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -27,7 +27,6 @@ template(`userdom_base_user_template',` attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; - role $1_r; ') attribute $1_file_type; @@ -39,6 +38,7 @@ template(`userdom_base_user_template',` corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) + role $1_r; role $1_r types $1_t; allow system_r $1_r;