From 1f1e2474d87bce50ca0b8a6d7d8b295068301cac Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Thu, 16 Feb 2017 14:30:48 +0100
Subject: [PATCH] improve documentation for
 user_user_(inherited_)?user_terminals

---
 policy/modules/system/userdomain.if | 74 ++++++++++++++++-------------
 1 file changed, 41 insertions(+), 33 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e8d01f005..f05d85619 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3230,38 +3230,10 @@ interface(`userdom_use_user_ptys',`
 		type user_devpts_t;
 	')
 
+	term_list_ptys($1)
 	allow $1 user_devpts_t:chr_file rw_term_perms;
 ')
 
-########################################
-## <summary>
-##     Read and write a inherited user TTYs and PTYs.
-## </summary>
-## <desc>
-##     <p>
-##     Allow the specified domain to read and write inherited user
-##     TTYs and PTYs. This will allow the domain to
-##     interact with the user via the terminal. Typically
-##     all interactive applications will require this
-##     access.
-##     </p>
-## </desc>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`userdom_use_inherited_user_terminals',`
-	gen_require(`
-		type user_tty_device_t, user_devpts_t;
-	')
-
-	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-')
-
 ########################################
 ## <summary>
 ##	Read and write a user TTYs and PTYs.
@@ -3288,14 +3260,50 @@ interface(`userdom_use_inherited_user_terminals',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`userdom_use_user_terminals',`
+interface(`userdom_use_inherited_user_terminals',`
 	gen_require(`
-		type user_tty_device_t, user_devpts_t;
+		type user_devpts_t, user_tty_device_t;
 	')
 
-	allow $1 user_tty_device_t:chr_file rw_term_perms;
-	allow $1 user_devpts_t:chr_file rw_term_perms;
 	term_list_ptys($1)
+	allow $1 { user_devpts_t user_tty_device_t }:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+##	Read, write and open a user TTYs and PTYs.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read and write user
+##	TTYs and PTYs. This will allow the domain to
+##	interact with the user via the terminal. Typically
+##	all interactive applications will require this
+##	access.
+##	</p>
+##	<p>
+##	This interface will also allow to open these user
+##	terminals, which should not be necessary in general
+##	and userdom_use_inherited_user_terminals() should
+##	be sufficient.
+##	</p>
+##	<p>
+##	However, this also allows the applications to spy
+##	on user sessions or inject information into the
+##	user session.  Thus, this access should likely
+##	not be allowed for non-interactive domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_user_terminals',`
+	userdom_use_user_ptys($1)
+	userdom_use_user_ttys($1)
 ')
 
 ########################################