vlock_t only uses the relabeled terminal.

The login or ssh program will relabel a tty or pty device after users
log in, and the vlock domain would only need to use the relabeled tty
or pty device, rather than the whole ttynode or ptynode attribute.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
This commit is contained in:
Harry Ciao 2010-12-20 16:02:38 +08:00 committed by Chris PeBenito
parent 1c2e52e43f
commit 3543bdda9f
1 changed files with 2 additions and 3 deletions

View File

@ -14,6 +14,8 @@ application_domain(vlock_t, vlock_exec_t)
# Local policy
#
# --enable-pam is recommended when configuring vlock, making it
# unnecessary to be a setuid program.
dontaudit vlock_t self:capability { setuid setgid };
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
@ -39,9 +41,6 @@ mls_file_write_all_levels(vlock_t)
selinux_dontaudit_getattr_fs(vlock_t)
term_use_all_ttys(vlock_t)
term_use_all_ptys(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
init_dontaudit_rw_utmp(vlock_t)