From f411c146986fabe7375724528b2d4ba8cf78b904 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Mon, 12 Feb 2024 19:38:14 +0100 Subject: [PATCH] confined: make "-l" non optional The confinedom_user_login_macro is needed for all custom users. Also, allow the new user type to be accessed via remote login. Signed-off-by: Vit Mojzis --- udica/__main__.py | 2 +- udica/macros/confined_user_macros.cil | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/udica/__main__.py b/udica/__main__.py index 1ba8515..801499c 100644 --- a/udica/__main__.py +++ b/udica/__main__.py @@ -92,7 +92,7 @@ def get_args(): "-l", "--user_login", action="store_true", - default=False, + default=True, dest="user_login", help="Basic rules common to all users (tty, pty, ...)", ) diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil index ddb5689..06c4c56 100644 --- a/udica/macros/confined_user_macros.cil +++ b/udica/macros/confined_user_macros.cil @@ -2411,7 +2411,7 @@ (typetransition utype sudo_exec_t process sudo_type) (allow sudo_type utype (fd (use))) (allow sudo_type utype (fifo_file (ioctl read write getattr lock append))) - (allow sudo_type utype (process (sigchld))) + (allow sudo_type utype (process (getpgid sigchld))) (allow sudo_type bin_t (dir (getattr open search))) (allow sudo_type bin_t (dir (ioctl read getattr lock open search))) (allow sudo_type bin_t (dir (getattr open search))) @@ -4006,6 +4006,12 @@ ) ) ) + ; Telnet login + (optional confinedom_user_login_optional_3 + (typeattributeset cil_gen_require remote_login_t) + (allow remote_login_t utype (process (signal transition))) + (allow utype self (bpf (prog_load))) + ) ) (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type)) -- 2.43.0