From 616ecf27cfb400e6830dc270492ff8131736a743 Mon Sep 17 00:00:00 2001
From: Hilko Bengen <bengen@hilluzination.de>
Date: Wed, 21 Feb 2024 20:09:30 +0100
Subject: [PATCH] Fix SELinux policy for Debian and derivatives

Close #198
---
 contrib/selinux/laurel.te | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/contrib/selinux/laurel.te b/contrib/selinux/laurel.te
index 3ec8f72..98aa889 100644
--- a/contrib/selinux/laurel.te
+++ b/contrib/selinux/laurel.te
@@ -11,8 +11,6 @@ permissive laurel_t;
 
 init_daemon_domain(laurel_t, laurel_exec_t)
 
-gen_require(`type passwd_file_t;')
-
 # Transition auditd (auditd 3+) -> laurel
 ifdef(`audit3',`
 	gen_require(`type auditd_t;')
@@ -50,8 +48,17 @@ list_dirs_pattern(laurel_t, proc_t, proc_t);
 # stat() for every file (for enrich.script)
 files_getattr_all_files(laurel_t)
 
-# Access user database or SSSD
-allow laurel_t passwd_file_t:file { open read };
+# Access local user database
+ifdef(`distro_debian',`
+	gen_require(`type etc_t;')
+	allow laurel_t etc_t:file { open read };
+')
+ifdef(`distro_redhat',`
+	gen_require(`type passwd_file_t;')
+	allow laurel_t passwd_file_t:file { open read };
+')
+
+# Access user database via SSSD
 sssd_read_public_files(laurel_t)
 sssd_stream_connect(laurel_t)