Merge branch 'userdom_terminals_permit_open' of git://github.com/cgzones/refpolicy

This commit is contained in:
Chris PeBenito 2017-02-28 18:44:32 -05:00
commit 305a152795

View File

@ -3230,38 +3230,10 @@ interface(`userdom_use_user_ptys',`
type user_devpts_t;
')
term_list_ptys($1)
allow $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Read and write a inherited user TTYs and PTYs.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read and write inherited user
## TTYs and PTYs. This will allow the domain to
## interact with the user via the terminal. Typically
## all interactive applications will require this
## access.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`userdom_use_inherited_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
')
########################################
## <summary>
## Read and write a user TTYs and PTYs.
@ -3288,14 +3260,50 @@ interface(`userdom_use_inherited_user_terminals',`
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`userdom_use_user_terminals',`
interface(`userdom_use_inherited_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
type user_devpts_t, user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
allow $1 user_devpts_t:chr_file rw_term_perms;
term_list_ptys($1)
allow $1 { user_devpts_t user_tty_device_t }:chr_file rw_inherited_term_perms;
')
########################################
## <summary>
## Read, write and open a user TTYs and PTYs.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read and write user
## TTYs and PTYs. This will allow the domain to
## interact with the user via the terminal. Typically
## all interactive applications will require this
## access.
## </p>
## <p>
## This interface will also allow to open these user
## terminals, which should not be necessary in general
## and userdom_use_inherited_user_terminals() should
## be sufficient.
## </p>
## <p>
## However, this also allows the applications to spy
## on user sessions or inject information into the
## user session. Thus, this access should likely
## not be allowed for non-interactive domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`userdom_use_user_terminals',`
userdom_use_user_ptys($1)
userdom_use_user_ttys($1)
')
########################################