RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

vlock_t only uses the relabeled terminal. 

The login or ssh program will relabel a tty or pty device after users
log in, and the vlock domain would only need to use the relabeled tty
or pty device, rather than the whole ttynode or ptynode attribute.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
This commit is contained in:
Harry Ciao 2010-12-20 16:02:38 +08:00 committed by Chris PeBenito
parent 1c2e52e43f
commit 3543bdda9f
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
policy/modules/apps/vlock.te
View File

@ -14,6 +14,8 @@ application_domain(vlock_t, vlock_exec_t)
# Local policy
#
# --enable-pam is recommended when configuring vlock, making it
# unnecessary to be a setuid program.
dontaudit vlock_t self:capability { setuid setgid };
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
@ -39,9 +41,6 @@ mls_file_write_all_levels(vlock_t)
selinux_dontaudit_getattr_fs(vlock_t)
term_use_all_ttys(vlock_t)
term_use_all_ptys(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
init_dontaudit_rw_utmp(vlock_t)