confined: make "-l" non optional

The confinedom_user_login_macro is needed for all custom users. Also, allow the new user type to be accessed via remote login. Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2024-05-23 01:36:21 +02:00 · 2024-02-12 19:38:14 +01:00 · 2024-02-12 19:38:14 +01:00 · f411c14698
parent d444e67ead
commit f411c14698
2 changed files with 8 additions and 2 deletions
--- a/udica/main.py
+++ b/udica/main.py
@ -92,7 +92,7 @@ def get_args():
            "-l",
            "--user_login",
            action="store_true",
-            default=False,
+            default=True,
            dest="user_login",
            help="Basic rules common to all users (tty, pty, ...)",
        )
--- a/udica/macros/confined_user_macros.cil
+++ b/udica/macros/confined_user_macros.cil
@ -2411,7 +2411,7 @@
        (typetransition utype sudo_exec_t process sudo_type)
        (allow sudo_type utype (fd (use)))
        (allow sudo_type utype (fifo_file (ioctl read write getattr lock append)))
-        (allow sudo_type utype (process (sigchld)))
+        (allow sudo_type utype (process (getpgid sigchld)))
        (allow sudo_type bin_t (dir (getattr open search)))
        (allow sudo_type bin_t (dir (ioctl read getattr lock open search)))
        (allow sudo_type bin_t (dir (getattr open search)))
@ -4006,6 +4006,12 @@
            )
        )
    )
+    ; Telnet login
+    (optional  confinedom_user_login_optional_3
+      (typeattributeset cil_gen_require remote_login_t)
+      (allow remote_login_t utype (process (signal transition)))
+      (allow utype self (bpf (prog_load)))
+    )
 )

 (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))