Navigation

← Previous Changeset
Next Changeset →

Changeset 2679

Timestamp:

05/12/08 09:08:02 (7 months ago)

Author:

pebenito

Message:

rbacsep: initial collapse of user terminals.

Files:

branches/rbacsep/policy/modules/system/userdomain.if (modified) (13 diffs)
branches/rbacsep/policy/modules/system/userdomain.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/system/userdomain.if

r2675	r2679
26	26	gen_require(`
27	27	attribute userdomain;
	28	type user_devpts_t, user_tty_device_t;
28	29	class context contains;
29	30	')
…	…
39	40	allow system_r $1_r;
40	41
41		type $1_devpts_t;
42		term_user_pty($1_t,$1_devpts_t)
43		files_type($1_devpts_t)
44
45		type $1_tty_device_t;
46		term_user_tty($1_t,$1_tty_device_t)
	42	term_user_pty($1_t, user_devpts_t)
	43	role $1_r types user_devpts_t;
	44
	45	term_user_tty($1_t, user_tty_device_t)
	46	role $1_r types user_tty_device_t;
47	47
48	48	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
…	…
58	58	dontaudit $1_t self:socket create;
59	59
60		allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
61		term_create_pty($1_t,$1_devpts_t)
62
63		allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
	60	allow $1_t user_devpts_t:chr_file { setattr ioctl read getattr lock write append };
	61	# avoid annoying messages on terminal hangup on role change
	62	dontaudit $1_t user_devpts_t:chr_file ioctl;
	63
	64	allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
	65	# avoid annoying messages on terminal hangup on role change
	66	dontaudit $1_t user_tty_device_t:chr_file ioctl;
64	67
65	68	kernel_read_kernel_sysctls($1_t)
…	…
609	612	template(`userdom_change_password_template',`
610	613	gen_require(`
611		type $1_t, ~~$1_devpts_t, $1~~_tty_device_t;
	614	type $1_t, user_devpts_t, user_tty_device_t;
612	615	role $1_r;
613	616	')
614	617
615	618	optional_policy(`
616		usermanage_run_chfn($1_t,$1_r,{ ~~$1_devpts_t $1~~_tty_device_t })
617		usermanage_run_passwd($1_t,$1_r,{ ~~$1_devpts_t $1~~_tty_device_t })
	619	usermanage_run_chfn($1_t,$1_r,{ user_devpts_t user_tty_device_t })
	620	usermanage_run_passwd($1_t,$1_r,{ user_devpts_t user_tty_device_t })
618	621	')
619	622	')
…	…
621	624	#######################################
622	625	## <summary>
623		## The template for allowing the user to change roles.
	626	## The template for allowing the user to change roles. (Deprecated)
624	627	## </summary>
625	628	## <param name="src_role_prefix">
…	…
637	640	#
638	641	template(`userdom_role_change_template',`
	642	refpolicywarn(`$0($*) has been deprecated, use a regular role allow statement instead.')
	643
639	644	gen_require(`
640	645	role $1_r, $2_r;
641		~~type $1_t, $2_t;~~
642		~~type $1_devpts_t, $2_devpts_t;~~
643		~~type $1_tty_device_t, $2_tty_device_t;~~
644	646	')
645	647
646	648	allow $1_r $2_r;
647		~~type_change $2_t $1_devpts_t:chr_file $2_devpts_t;~~
648		~~type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;~~
649		~~# avoid annoying messages on terminal hangup~~
650		~~dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;~~
651	649	')
652	650
…	…
738	736	auth_read_login_records($1_t)
739	737	auth_search_pam_console_data($1_t)
740		auth_run_pam($1_t,$1_r,{ ~~$1_tty_device_t $1~~_devpts_t })
741		auth_run_utempter($1_t,$1_r,{ ~~$1_tty_device_t $1~~_devpts_t })
	738	auth_run_pam($1_t,$1_r,{ user_tty_device_t user_devpts_t })
	739	auth_run_utempter($1_t,$1_r,{ user_tty_device_t user_devpts_t })
742	740
743	741	init_read_utmp($1_t)
…	…
745	743	seutil_read_file_contexts($1_t)
746	744	seutil_read_default_contexts($1_t)
747		seutil_run_newrole($1_t,$1_r,{ ~~$1_devpts_t $1~~_tty_device_t })
	745	seutil_run_newrole($1_t,$1_r,{ user_devpts_t user_tty_device_t })
748	746	seutil_exec_checkpolicy($1_t)
749	747	seutil_exec_setfiles($1_t)
…	…
873	871
874	872	optional_policy(`
875		usernetctl_run($1_t,$1_r,{ ~~$1_devpts_t $1~~_tty_device_t })
	873	usernetctl_run($1_t,$1_r,{ user_devpts_t user_tty_device_t })
876	874	')
877	875	')
…	…
1020	1018	domain_interactive_fd($1_t)
1021	1019
1022		~~typeattribute $1_devpts_t user_ptynode;~~
1023	1020	typeattribute $1_home_dir_t user_home_dir_type;
1024	1021	typeattribute $1_home_t user_home_type;
1025	1022	typeattribute $1_tmp_t user_tmpfile;
1026		~~typeattribute $1_tty_device_t user_ttynode;~~
1027	1023
1028	1024	##############################
…	…
1040	1036
1041	1037	optional_policy(`
1042		loadkeys_run($1_t,$1_r,$1_tty_device_t)
	1038	loadkeys_run($1_t,$1_r, user_tty_device_t)
1043	1039	')
1044	1040	')
…	…
1198	1194
1199	1195	optional_policy(`
1200		netutils_run_ping_cond($1_t,$1_r,{ ~~$1_tty_device_t $1~~_devpts_t })
1201		netutils_run_traceroute_cond($1_t,$1_r,{ ~~$1_tty_device_t $1~~_devpts_t })
	1196	netutils_run_ping_cond($1_t,$1_r,{ user_tty_device_t user_devpts_t })
	1197	netutils_run_traceroute_cond($1_t,$1_r,{ user_tty_device_t user_devpts_t })
1202	1198	')
1203	1199
1204	1200	# Run pppd in pppd_t by default for user
1205	1201	optional_policy(`
1206		ppp_run_cond($1_t,$1_r,{ ~~$1_tty_device_t $1~~_devpts_t })
	1202	ppp_run_cond($1_t,$1_r,{ user_tty_device_t user_devpts_t })
1207	1203	')
1208	1204
…	…
1263	1259	domain_system_change_exemption($1_t)
1264	1260	')
1265
1266		~~typeattribute $1_devpts_t admin_terminal;~~
1267
1268		~~typeattribute $1_tty_device_t admin_terminal;~~
1269	1261
1270	1262	##############################

branches/rbacsep/policy/modules/system/userdomain.te

r2675	r2679
85	85	attribute untrusted_content_type;
86	86	attribute untrusted_content_tmp_type;
	87
	88	type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
	89	dev_node(user_devpts_t)
	90	files_type(user_devpts_t)
	91
	92	type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
	93	dev_node(user_tty_device_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.