diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index bf48426b2..0640dec74 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -25,6 +25,24 @@ class chr_file { getattr read write }; devices_list_device_nodes_depend ') +######################################## +# +# terminal_use_all_terminals(domain,[`optional']) +# +define(`terminal_use_all_terminals',` +requires_block_template(terminal_use_all_terminals_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 devpts_t:dir { getattr read search }; +allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write }; +') + +define(`terminal_use_all_terminals_depend',` +attribute ttynode, ptynode; +type console_device_t, devtty_t, devpts_t; +class chr_file { read write }; +devices_list_device_nodes_depend +') + ######################################## # # terminal_use_console(domain,[`optional']) @@ -89,39 +107,65 @@ devices_list_device_nodes_depend ######################################## # -# terminal_use_all_terminals(domain,[`optional']) +# terminal_reset_physical_terminal_labels(domain) # -define(`terminal_use_all_terminals',` -requires_block_template(terminal_use_all_terminals_depend,$2) -devices_list_device_nodes($1,optional) -allow $1 devpts_t:dir { getattr read search }; -allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write }; +define(`terminal_reset_physical_terminal_labels',` +requires_block_template(terminal_reset_physical_terminal_labels_depend) +devices_list_device_nodes($1) +allow $1 ttynode:chr_file relabelfrom; +allow $1 tty_device_t:chr_file relabelto; ') -define(`terminal_use_all_terminals_depend',` -attribute ttynode, ptynode; -type console_device_t, devtty_t, devpts_t; -class chr_file { read write }; +define(`terminal_reset_physical_terminal_labels_depend',` +attribute ttynode; +type tty_device_t; +class chr_file { relabelfrom relabelto }; devices_list_device_nodes_depend ') ######################################## # -# terminal_reset_labels(domain,[`optional']) +# terminal_use_general_physical_terminal(domain) # -define(`terminal_reset_labels',` -requires_block_template(terminal_reset_labels_depend,$2) -devices_list_device_nodes($1,optional) -allow $1 ttynode:chr_file relabelfrom; -allow $1 tty_device_t:chr_file relabelto; +define(`terminal_use_general_physical_terminal',` +requires_block_template(terminal_use_general_physical_terminal_depend) +devices_list_device_nodes($1) +allow $1 tty_device_t:chr_file { read write }; ') -define(`terminal_reset_labels_depend',` -attribute ttynode; +define(`terminal_use_general_physical_terminal_depend',` type tty_device_t; -class chr_file { relabelfrom relabelto }; +class chr_file { read write }; +') + +######################################## +# +# terminal_ignore_use_general_physical_terminal(domain) +# +define(`terminal_ignore_use_general_physical_terminal',` +requires_block_template(terminal_ignore_use_general_physical_terminal_depend) +dontaudit $1 tty_device_t:chr_file { read write }; +') + +define(`terminal_ignore_use_general_physical_terminal_depend',` +type tty_device_t; +class chr_file { read write }; +') + +######################################## +# +# terminal_get_user_terminal_attributes(domain,[`optional']) +# +define(`terminal_get_user_terminal_attributes',` +requires_block_template(terminal_get_user_terminal_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 ttynode:chr_file getattr; +') + +define(`terminal_get_user_terminal_attributes_depend',` +attribute ttynode; +class chr_file getattr; devices_list_device_nodes_depend -kernel_relabeling_privilege_depend ') ######################################## @@ -156,16 +200,29 @@ class dir { getattr search read }; ######################################## # -# terminal_get_user_terminal_attributes(domain,[`optional']) +# terminal_use_general_pseudoterminal(domain) # -define(`terminal_get_user_terminal_attributes',` -requires_block_template(terminal_get_user_terminal_attributes_depend,$2) -devices_list_device_nodes($1,optional) -allow $1 ttynode:chr_file getattr; +define(`terminal_use_general_pseudoterminal',` +requires_block_template(terminal_use_general_pseudoterminal_depend) +devices_list_device_nodes($1) +allow $1 devpts_t:chr_file { read write }; ') -define(`terminal_get_user_terminal_attributes_depend',` -attribute ttynode; -class chr_file getattr; -devices_list_device_nodes_depend +define(`terminal_use_general_pseudoterminal_depend',` +type devpts_t; +class chr_file { read write }; +') + +######################################## +# +# terminal_ignore_use_general_pseudoterminal(domain) +# +define(`terminal_ignore_use_general_pseudoterminal',` +requires_block_template(terminal_ignore_use_general_pseudoterminal_depend) +dontaudit $1 devpts_t:chr_file { read write }; +') + +define(`terminal_ignore_use_general_pseudoterminal_depend',` +type devpts_t; +class chr_file { read write }; ')