selinux-refpolicy/targeted/domains/program/getty.te

62 lines
1.6 KiB
Plaintext

#DESC Getty - Manage ttys
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
#
#################################
#
# Rules for the getty_t domain.
#
init_service_domain(getty, `, privfd')
etcdir_domain(getty)
allow getty_t console_device_t:chr_file setattr;
tmp_domain(getty)
log_domain(getty)
allow getty_t { etc_t etc_runtime_t }:file { getattr read };
allow getty_t etc_t:lnk_file read;
allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
read_locale(getty_t)
# Run login in local_login_t domain.
allow getty_t { sbin_t bin_t }:dir search;
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
allow getty_t { var_t var_run_t }:dir search;
allow getty_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow getty_t wtmp_t:file rw_file_perms;
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
# for error condition handling
allow getty_t fs_t:filesystem getattr;
lock_domain(getty)
r_dir_file(getty_t, sysfs_t)
# for mgetty
var_run_domain(getty)
allow getty_t self:capability { fowner fsetid };
#
# getty needs to be able to run pppd
#
ifdef(`pppd.te', `
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
')