Merge branch 'userdom_terminals_permit_open' of git://github.com/cgzones/refpolicy
This commit is contained in:
Chris PeBenito
commit
305a152795
|
|
@ -3230,38 +3230,10 @@ interface(`userdom_use_user_ptys',`
|
||||||
type user_devpts_t;
|
type user_devpts_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
term_list_ptys($1)
|
||||||
allow $1 user_devpts_t:chr_file rw_term_perms;
|
allow $1 user_devpts_t:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Read and write a inherited user TTYs and PTYs.
|
|
||||||
## </summary>
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow the specified domain to read and write inherited user
|
|
||||||
## TTYs and PTYs. This will allow the domain to
|
|
||||||
## interact with the user via the terminal. Typically
|
|
||||||
## all interactive applications will require this
|
|
||||||
## access.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## Domain allowed access.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
## <infoflow type="both" weight="10"/>
|
|
||||||
#
|
|
||||||
interface(`userdom_use_inherited_user_terminals',`
|
|
||||||
gen_require(`
|
|
||||||
type user_tty_device_t, user_devpts_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
|
|
||||||
allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write a user TTYs and PTYs.
|
## Read and write a user TTYs and PTYs.
|
||||||
|
|
@ -3288,14 +3260,50 @@ interface(`userdom_use_inherited_user_terminals',`
|
||||||
## </param>
|
## </param>
|
||||||
## <infoflow type="both" weight="10"/>
|
## <infoflow type="both" weight="10"/>
|
||||||
#
|
#
|
||||||
interface(`userdom_use_user_terminals',`
|
interface(`userdom_use_inherited_user_terminals',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_tty_device_t, user_devpts_t;
|
type user_devpts_t, user_tty_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_tty_device_t:chr_file rw_term_perms;
|
|
||||||
allow $1 user_devpts_t:chr_file rw_term_perms;
|
|
||||||
term_list_ptys($1)
|
term_list_ptys($1)
|
||||||
|
allow $1 { user_devpts_t user_tty_device_t }:chr_file rw_inherited_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read, write and open a user TTYs and PTYs.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow the specified domain to read and write user
|
||||||
|
## TTYs and PTYs. This will allow the domain to
|
||||||
|
## interact with the user via the terminal. Typically
|
||||||
|
## all interactive applications will require this
|
||||||
|
## access.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This interface will also allow to open these user
|
||||||
|
## terminals, which should not be necessary in general
|
||||||
|
## and userdom_use_inherited_user_terminals() should
|
||||||
|
## be sufficient.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## However, this also allows the applications to spy
|
||||||
|
## on user sessions or inject information into the
|
||||||
|
## user session. Thus, this access should likely
|
||||||
|
## not be allowed for non-interactive domains.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="both" weight="10"/>
|
||||||
|
#
|
||||||
|
interface(`userdom_use_user_terminals',`
|
||||||
|
userdom_use_user_ptys($1)
|
||||||
|
userdom_use_user_ttys($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue