Merge branch 'userdom_terminals_permit_open' of git://github.com/cgzones/refpolicy
This commit is contained in:
commit
305a152795
@ -3230,38 +3230,10 @@ interface(`userdom_use_user_ptys',`
|
||||
type user_devpts_t;
|
||||
')
|
||||
|
||||
term_list_ptys($1)
|
||||
allow $1 user_devpts_t:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a inherited user TTYs and PTYs.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to read and write inherited user
|
||||
## TTYs and PTYs. This will allow the domain to
|
||||
## interact with the user via the terminal. Typically
|
||||
## all interactive applications will require this
|
||||
## access.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`userdom_use_inherited_user_terminals',`
|
||||
gen_require(`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
')
|
||||
|
||||
allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
|
||||
allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a user TTYs and PTYs.
|
||||
@ -3288,14 +3260,50 @@ interface(`userdom_use_inherited_user_terminals',`
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`userdom_use_user_terminals',`
|
||||
interface(`userdom_use_inherited_user_terminals',`
|
||||
gen_require(`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
type user_devpts_t, user_tty_device_t;
|
||||
')
|
||||
|
||||
allow $1 user_tty_device_t:chr_file rw_term_perms;
|
||||
allow $1 user_devpts_t:chr_file rw_term_perms;
|
||||
term_list_ptys($1)
|
||||
allow $1 { user_devpts_t user_tty_device_t }:chr_file rw_inherited_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read, write and open a user TTYs and PTYs.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to read and write user
|
||||
## TTYs and PTYs. This will allow the domain to
|
||||
## interact with the user via the terminal. Typically
|
||||
## all interactive applications will require this
|
||||
## access.
|
||||
## </p>
|
||||
## <p>
|
||||
## This interface will also allow to open these user
|
||||
## terminals, which should not be necessary in general
|
||||
## and userdom_use_inherited_user_terminals() should
|
||||
## be sufficient.
|
||||
## </p>
|
||||
## <p>
|
||||
## However, this also allows the applications to spy
|
||||
## on user sessions or inject information into the
|
||||
## user session. Thus, this access should likely
|
||||
## not be allowed for non-interactive domains.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`userdom_use_user_terminals',`
|
||||
userdom_use_user_ptys($1)
|
||||
userdom_use_user_ttys($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
Loading…
Reference in New Issue
Block a user