vlock_t only uses the relabeled terminal.
The login or ssh program will relabel a tty or pty device after users log in, and the vlock domain would only need to use the relabeled tty or pty device, rather than the whole ttynode or ptynode attribute. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
This commit is contained in:
parent
1c2e52e43f
commit
3543bdda9f
|
@ -14,6 +14,8 @@ application_domain(vlock_t, vlock_exec_t)
|
|||
# Local policy
|
||||
#
|
||||
|
||||
# --enable-pam is recommended when configuring vlock, making it
|
||||
# unnecessary to be a setuid program.
|
||||
dontaudit vlock_t self:capability { setuid setgid };
|
||||
allow vlock_t self:fd use;
|
||||
allow vlock_t self:fifo_file rw_fifo_file_perms;
|
||||
|
@ -39,9 +41,6 @@ mls_file_write_all_levels(vlock_t)
|
|||
|
||||
selinux_dontaudit_getattr_fs(vlock_t)
|
||||
|
||||
term_use_all_ttys(vlock_t)
|
||||
term_use_all_ptys(vlock_t)
|
||||
|
||||
auth_domtrans_chk_passwd(vlock_t)
|
||||
|
||||
init_dontaudit_rw_utmp(vlock_t)
|
||||
|
|
Loading…
Reference in New Issue