selinux-refpolicy/refpolicy/policy/modules/kernel/terminal.if

786 lines
17 KiB
Plaintext

## <summary>Policy for terminals.</summary>
## <required val="true">
## Depended on by other required modules.
## </required>
########################################
## <summary>
## Transform specified type into a pty type.
## </summary>
## <param name="pty_type">
## An object type that will applied to a pty.
## </param>
#
interface(`term_pty',`
gen_require(`
attribute ptynode;
type devpts_t;
class filesystem associate;
')
allow $1 devpts_t:filesystem associate;
typeattribute $1 ptynode;
')
########################################
## <summary>
## Transform specified type into an user
## pty type. This allows it to be relabeled via
## type change by login programs such as ssh.
## </summary>
## <param name="userdomain">
## The type of the user domain associated with
## this pty.
## </param>
## <param name="object_type">
## An object type that will applied to a pty.
## </param>
#
interface(`term_user_pty',`
gen_require(`
attribute server_ptynode;
')
term_pty($2)
type_change $2 server_ptynode:chr_file $1;
')
########################################
## <summary>
## Transform specified type into a pty type
## used by login programs, such as sshd.
## </summary>
## <param name="pty_type">
## An object type that will applied to a pty.
## </param>
#
interface(`term_login_pty',`
gen_require(`
attribute server_ptynode;
')
term_pty($1)
typeattribute $1 server_ptynode;
')
########################################
## <summary>
## Transform specified type into a tty type.
## </summary>
## <param name="tty_type">
## An object type that will applied to a tty.
## </param>
#
interface(`term_tty',`
gen_require(`
attribute ttynode;
type tty_device_t;
')
typeattribute $2 ttynode;
type_change $1 tty_device_t:chr_file $2;
# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
ifdef(`distro_debian',`
type_change $1 ttynode:chr_file $2;
')
ifdef(`distro_redhat',`
fs_associate_tmpfs($2)
')
')
########################################
## <summary>
## Create a pty in the /dev/pts directory.
## </summary>
## <param name="domain">
## The type of the process creating the pty.
## </param>
## <param name="pty_type">
## The type of the pty.
## </param>
#
interface(`term_create_pty',`
gen_require(`
type bsdpty_device_t, devpts_t, ptmx_t;
class filesystem getattr;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
type_transition $1 devpts_t:chr_file $2;
')
########################################
## <summary>
## Read and write the console, all
## ttys and all ptys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_all_terms',`
gen_require(`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
########################################
## <summary>
## Write to the console.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_write_console',`
gen_require(`
type console_device_t;
class chr_file write;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file write;
')
########################################
## <summary>
## Read from and write to the console.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_console',`
gen_require(`
type console_device_t;
class chr_file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Do not audit attemtps to read from
## or write to the console.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
class chr_file { read write };
')
dontaudit $1 console_device_t:chr_file { read write };
')
########################################
## <summary>
## Set the attributes of the console
## device node.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_console',`
gen_require(`
type console_device_t;
class chr_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file setattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_getattr_pty_dir',`
gen_require(`
type devpts_t;
class dir getattr;
')
dontaudit $1 devpts_t:dir getattr;
')
########################################
## <summary>
## Read the /dev/pts directory to
## list all ptys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_list_ptys',`
gen_require(`
type devpts_t;
class dir r_dir_perms;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_list_ptys',`
gen_require(`
type devpts_t;
class dir { getattr search read };
')
dontaudit $1 devpts_t:dir { getattr search read };
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, or delete the /dev/pts directory.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_manage_pty_dir',`
gen_require(`
type devpts_t;
class dir create_dir_perms;
')
dontaudit $1 devpts_t:dir create_dir_perms;
')
########################################
## <summary>
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_generic_pty',`
gen_require(`
type devpts_t;
class chr_file { read write };
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:chr_file { read write };
')
########################################
## <summary>
## Dot not audit attempts to read and
## write the generic pty type. This is
## generally only used in the targeted policy.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_generic_pty',`
gen_require(`
type devpts_t;
class chr_file { read write };
')
dontaudit $1 devpts_t:chr_file { read write };
')
########################################
## <summary>
## Read and write the controlling
## terminal (/dev/tty).
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_controlling_term',`
gen_require(`
type devtty_t;
class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file { getattr read write ioctl };
')
########################################
## <summary>
## Do not audit attempts to read and
## write the pty multiplexor (/dev/ptmx).
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_ptmx',`
gen_require(`
type ptmx_t;
class chr_file { getattr read write };
')
dontaudit $1 ptmx_t:chr_file { getattr read write };
')
########################################
## <summary>
## Get the attributes of all user
## pty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_getattr_all_user_ptys',`
gen_require(`
attribute ptynode;
class dir r_dir_perms;
class chr_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 ptynode:chr_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of any user pty
## device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_getattr_all_user_ptys',`
gen_require(`
attribute ptynode;
class chr_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
dontaudit $1 ptynode:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of all user
## pty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_all_user_ptys',`
gen_require(`
attribute ptynode;
class dir r_dir_perms;
class chr_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 ptynode:chr_file setattr;
')
########################################
## <summary>
## Relabel to all user ptys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabelto_all_user_ptys',`
gen_require(`
attribute ptynode;
class chr_file relabelto;
')
allow $1 ptynode:chr_file relabelto;
')
########################################
## <summary>
## Read and write all user ptys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_all_user_ptys',`
gen_require(`
attribute ptynode;
class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 ptynode:chr_file { getattr read write ioctl };
')
########################################
## <summary>
## Do not audit attempts to read any
## user ptys.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_all_user_ptys',`
gen_require(`
attribute ptynode;
class chr_file { read write };
')
dontaudit $1 ptynode:chr_file { read write };
')
########################################
## <summary>
## Relabel from and to all user
## user pty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabel_all_user_ptys',`
gen_require(`
attribute ptynode;
type devpts_t;
class chr_file { relabelfrom relabelto };
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 ptynode:chr_file { relabelfrom relabelto };
')
########################################
## <summary>
## Get the attributes of all unallocated
## tty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_getattr_unallocated_ttys',`
gen_require(`
type tty_device_t;
class chr_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all unallocated tty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_getattr_unallocated_ttys',`
gen_require(`
type tty_device_t;
class chr_file getattr;
')
dontaudit $1 tty_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of all unallocated
## tty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_unallocated_ttys',`
gen_require(`
type tty_device_t;
class chr_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file setattr;
')
########################################
## <summary>
## Relabel from and to the unallocated
## tty type.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabel_unallocated_ttys',`
gen_require(`
type tty_device_t;
class chr_file { relabelfrom relabelto };
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
')
########################################
## <summary>
## Relabel from all user tty types to
## the unallocated tty type.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_reset_tty_labels',`
gen_require(`
attribute ttynode;
type tty_device_t;
class chr_file { relabelfrom relabelto };
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file relabelfrom;
allow $1 tty_device_t:chr_file relabelto;
')
########################################
## <summary>
## Write to unallocated ttys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_write_unallocated_ttys',`
gen_require(`
type tty_device_t;
class chr_file { getattr write };
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr write };
')
########################################
## <summary>
## Read and write unallocated ttys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_unallocated_tty',`
gen_require(`
type tty_device_t;
class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr read write ioctl };
')
########################################
## <summary>
## Do not audit attempts to read or
## write unallocated ttys.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_unallocated_tty',`
gen_require(`
type tty_device_t;
class chr_file { read write };
')
dontaudit $1 tty_device_t:chr_file { read write };
')
########################################
## <summary>
## Get the attributes of all user tty
## device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_getattr_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of any user tty
## device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_getattr_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file getattr;
')
dev_list_all_dev_nodes($1)
dontaudit $1 ttynode:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of all user tty
## device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file setattr;
')
########################################
## <summary>
## Relabel from and to all user
## user tty device nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabel_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file { relabelfrom relabelto };
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { relabelfrom relabelto };
')
########################################
## <summary>
## Write to all user ttys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_write_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file { getattr write };
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { getattr write };
')
########################################
## <summary>
## Read and write all user to all user ttys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { getattr read write ioctl };
')
########################################
## <summary>
## Do not audit attempts to read or write
## any user ttys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_use_all_user_ttys',`
gen_require(`
attribute ttynode;
class chr_file { read write };
')
dontaudit $1 ttynode:chr_file { read write };
')