diff options
Diffstat (limited to 'policy/modules/system/getty.te')
| -rw-r--r-- | policy/modules/system/getty.te | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te new file mode 100644 index 00000000..fd100fcf --- /dev/null +++ b/policy/modules/system/getty.te @@ -0,0 +1,141 @@ +policy_module(getty, 1.9.0) + +######################################## +# +# Declarations +# + +type getty_t; +type getty_exec_t; +init_domain(getty_t, getty_exec_t) +init_system_domain(getty_t, getty_exec_t) +domain_interactive_fd(getty_t) + +type getty_etc_t; +typealias getty_etc_t alias etc_getty_t; +files_config_file(getty_etc_t) + +type getty_lock_t; +files_lock_file(getty_lock_t) + +type getty_log_t; +logging_log_file(getty_log_t) + +type getty_tmp_t; +files_tmp_file(getty_tmp_t) + +type getty_var_run_t; +files_pid_file(getty_var_run_t) + +######################################## +# +# Getty local policy +# + +# Use capabilities. +allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +dontaudit getty_t self:capability sys_tty_config; +allow getty_t self:process { getpgid setpgid getsession signal_perms }; +allow getty_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(getty_t, getty_etc_t, getty_etc_t) +read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t) +files_etc_filetrans(getty_t, getty_etc_t,{ file dir }) + +allow getty_t getty_lock_t:file manage_file_perms; +files_lock_filetrans(getty_t, getty_lock_t, file) + +allow getty_t getty_log_t:file manage_file_perms; +logging_log_filetrans(getty_t, getty_log_t, file) + +allow getty_t getty_tmp_t:file manage_file_perms; +allow getty_t getty_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(getty_t, getty_tmp_t, { file dir }) + +manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) +files_pid_filetrans(getty_t, getty_var_run_t, file) + +kernel_read_system_state(getty_t) + +# these two needed for receiving faxes +corecmd_exec_bin(getty_t) +corecmd_exec_shell(getty_t) + +dev_read_sysfs(getty_t) + +files_rw_generic_pids(getty_t) +files_read_etc_runtime_files(getty_t) +files_read_etc_files(getty_t) +files_search_spool(getty_t) + +fs_search_auto_mountpoints(getty_t) +# for error condition handling +fs_getattr_xattr_fs(getty_t) + +mcs_process_set_categories(getty_t) + +mls_file_read_all_levels(getty_t) +mls_file_write_all_levels(getty_t) + +# Chown, chmod, read and write ttys. +term_use_all_ttys(getty_t) +term_use_unallocated_ttys(getty_t) +term_setattr_all_ttys(getty_t) +term_setattr_unallocated_ttys(getty_t) +term_setattr_console(getty_t) + +auth_rw_login_records(getty_t) + +init_rw_utmp(getty_t) +init_use_script_ptys(getty_t) +init_dontaudit_use_script_ptys(getty_t) + +locallogin_domtrans(getty_t) + +logging_send_syslog_msg(getty_t) + +miscfiles_read_localization(getty_t) + +ifdef(`distro_gentoo',` + # Gentoo default /etc/issue makes agetty + # do a DNS lookup for the hostname + sysnet_dns_name_resolve(getty_t) +') + +ifdef(`distro_redhat',` + # getty requires sys_admin #209426 + allow getty_t self:capability sys_admin; +') + +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(getty_t) + ') +') + +tunable_policy(`console_login',` + # Support logging in from /dev/console + term_use_console(getty_t) +',` + term_dontaudit_use_console(getty_t) +') + +optional_policy(` + mta_send_mail(getty_t) +') + +optional_policy(` + nscd_socket_use(getty_t) +') + +optional_policy(` + ppp_domtrans(getty_t) +') + +optional_policy(` + rhgb_dontaudit_use_ptys(getty_t) +') + +optional_policy(` + udev_read_db(getty_t) +') |