|
Chris PeBenito |
4bf4ed9 |
## <summary>Policy for terminals.</summary>
|
|
Chris PeBenito |
fb0a3a9 |
## <required val="true">
|
|
Chris PeBenito |
fb0a3a9 |
## Depended on by other required modules.
|
|
Chris PeBenito |
fb0a3a9 |
## </required>
|
|
Chris PeBenito |
e181fe0 |
|
|
Chris PeBenito |
b4cd153 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Transform specified type into a pty type.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="pty_type">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## An object type that will applied to a pty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b4cd153 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_pty',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ptynode;
|
|
Chris PeBenito |
a7c3a1b |
type devpts_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
1f8a8bb |
files_type($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:filesystem associate;
|
|
Chris PeBenito |
0c73cd2 |
typeattribute $1 ptynode;
|
|
Chris PeBenito |
b16c6b8 |
')
|
|
Chris PeBenito |
b16c6b8 |
|
|
Chris PeBenito |
b16c6b8 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Transform specified type into an user
|
|
Chris PeBenito |
414e415 |
## pty type. This allows it to be relabeled via
|
|
Chris PeBenito |
414e415 |
## type change by login programs such as ssh.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="userdomain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the user domain associated with
|
|
Chris PeBenito |
414e415 |
## this pty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
414e415 |
## <param name="object_type">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## An object type that will applied to a pty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b16c6b8 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_user_pty',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute server_ptynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
2a3478c |
term_pty($2)
|
|
Chris PeBenito |
1e786ea |
type_change $1 server_ptynode:chr_file $2;
|
|
Chris PeBenito |
b16c6b8 |
')
|
|
Chris PeBenito |
b16c6b8 |
|
|
Chris PeBenito |
b16c6b8 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Transform specified type into a pty type
|
|
Chris PeBenito |
414e415 |
## used by login programs, such as sshd.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="pty_type">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## An object type that will applied to a pty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
0404a39 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_login_pty',`
|
|
Chris PeBenito |
0404a39 |
gen_require(`
|
|
Chris PeBenito |
0404a39 |
attribute server_ptynode;
|
|
Chris PeBenito |
0404a39 |
')
|
|
Chris PeBenito |
0404a39 |
|
|
Chris PeBenito |
0404a39 |
term_pty($1)
|
|
Chris PeBenito |
0404a39 |
typeattribute $1 server_ptynode;
|
|
Chris PeBenito |
0404a39 |
')
|
|
Chris PeBenito |
0404a39 |
|
|
Chris PeBenito |
0404a39 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Transform specified type into a tty type.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="tty_type">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## An object type that will applied to a tty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b16c6b8 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_tty',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
ef5ca0f |
attribute ttynode, serial_device;
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
ef5ca0f |
typeattribute $2 ttynode, serial_device;
|
|
Chris PeBenito |
0c73cd2 |
type_change $1 tty_device_t:chr_file $2;
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
ce6bf7c |
fs_associate($1)
|
|
Chris PeBenito |
30705b6 |
files_associate_tmp($1)
|
|
Chris PeBenito |
30705b6 |
|
|
Chris PeBenito |
0c73cd2 |
# Debian login is from shadow utils and does not allow resetting the perms.
|
|
Chris PeBenito |
0c73cd2 |
# have to fix this!
|
|
Chris PeBenito |
254bbc7 |
ifdef(`distro_debian',`
|
|
Chris PeBenito |
a7c3a1b |
type_change $1 ttynode:chr_file $2;
|
|
Chris PeBenito |
0c73cd2 |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
85c20af |
ifdef(`distro_gentoo',`
|
|
Chris PeBenito |
85c20af |
fs_associate_tmpfs($2)
|
|
Chris PeBenito |
85c20af |
')
|
|
Chris PeBenito |
85c20af |
|
|
Chris PeBenito |
254bbc7 |
ifdef(`distro_redhat',`
|
|
Chris PeBenito |
eda201e |
fs_associate_tmpfs($2)
|
|
Chris PeBenito |
0c73cd2 |
')
|
|
Chris PeBenito |
b16c6b8 |
')
|
|
Chris PeBenito |
b16c6b8 |
|
|
Chris PeBenito |
b16c6b8 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Create a pty in the /dev/pts directory.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the process creating the pty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
414e415 |
## <param name="pty_type">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the pty.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b16c6b8 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_create_pty',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type bsdpty_device_t, devpts_t, ptmx_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Karl MacMillan |
f0c985c |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c2c00be |
allow $1 ptmx_t:chr_file rw_file_perms;
|
|
Karl MacMillan |
f0c985c |
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:filesystem getattr;
|
|
Chris PeBenito |
0c73cd2 |
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
|
Chris PeBenito |
0c73cd2 |
type_transition $1 devpts_t:chr_file $2;
|
|
Chris PeBenito |
8a0da10 |
')
|
|
Chris PeBenito |
8a0da10 |
|
|
Chris PeBenito |
8a0da10 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read and write the console, all
|
|
Chris PeBenito |
414e415 |
## ttys and all ptys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
de2cee6 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_use_all_terms',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode, ptynode;
|
|
Chris PeBenito |
a7c3a1b |
type console_device_t, devpts_t, tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd2 |
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
|
Chris PeBenito |
de2cee6 |
')
|
|
Chris PeBenito |
de2cee6 |
|
|
Chris PeBenito |
3b857ea |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Write to the console.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3b857ea |
#
|
|
Chris PeBenito |
199895e |
interface(`term_write_console',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type console_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
3b857ea |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0e1c461 |
allow $1 console_device_t:chr_file { getattr write append };
|
|
Chris PeBenito |
3b857ea |
')
|
|
Chris PeBenito |
3b857ea |
|
|
Chris PeBenito |
3ce6cb4 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
0f73fde |
## Read from the console.
|
|
Chris PeBenito |
0f73fde |
## </summary>
|
|
Chris PeBenito |
0f73fde |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
0f73fde |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
0f73fde |
## </param>
|
|
Chris PeBenito |
0f73fde |
#
|
|
Chris PeBenito |
0f73fde |
interface(`term_read_console',`
|
|
Chris PeBenito |
0f73fde |
gen_require(`
|
|
Chris PeBenito |
0f73fde |
type console_device_t;
|
|
Chris PeBenito |
0f73fde |
')
|
|
Chris PeBenito |
0f73fde |
|
|
Chris PeBenito |
0f73fde |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0f73fde |
allow $1 console_device_t:chr_file read;
|
|
Chris PeBenito |
0f73fde |
')
|
|
Chris PeBenito |
0f73fde |
|
|
Chris PeBenito |
0f73fde |
########################################
|
|
Chris PeBenito |
0f73fde |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read from and write to the console.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3ce6cb4 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_use_console',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type console_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 console_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
3ce6cb4 |
')
|
|
Chris PeBenito |
3ce6cb4 |
|
|
Chris PeBenito |
3ce6cb4 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attemtps to read from
|
|
Chris PeBenito |
414e415 |
## or write to the console.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3ce6cb4 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_dontaudit_use_console',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type console_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
da4fc9c |
dontaudit $1 console_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
3ce6cb4 |
')
|
|
Chris PeBenito |
3ce6cb4 |
|
|
Chris PeBenito |
3ce6cb4 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Set the attributes of the console
|
|
Chris PeBenito |
414e415 |
## device node.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3ce6cb4 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_setattr_console',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type console_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 console_device_t:chr_file setattr;
|
|
Chris PeBenito |
3ce6cb4 |
')
|
|
Chris PeBenito |
3ce6cb4 |
|
|
Chris PeBenito |
3ce6cb4 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
d15dd5a |
## Create the console device (/dev/console).
|
|
Chris PeBenito |
d15dd5a |
## </summary>
|
|
Chris PeBenito |
d15dd5a |
## <param name="domain">
|
|
Chris PeBenito |
d15dd5a |
## <summary>
|
|
Chris PeBenito |
d15dd5a |
## Domain allowed access.
|
|
Chris PeBenito |
d15dd5a |
## </summary>
|
|
Chris PeBenito |
d15dd5a |
## </param>
|
|
Chris PeBenito |
d15dd5a |
#
|
|
Chris PeBenito |
d15dd5a |
interface(`term_create_console_dev',`
|
|
Chris PeBenito |
d15dd5a |
gen_require(`
|
|
Chris PeBenito |
d15dd5a |
type device_t, console_device_t;
|
|
Chris PeBenito |
d15dd5a |
')
|
|
Chris PeBenito |
d15dd5a |
|
|
Chris PeBenito |
d15dd5a |
allow $1 device_t:dir add_entry_dir_perms;
|
|
Chris PeBenito |
d15dd5a |
allow $1 console_device_t:chr_file create;
|
|
Chris PeBenito |
d15dd5a |
|
|
Chris PeBenito |
d15dd5a |
allow $1 self:capability mknod;
|
|
Chris PeBenito |
d15dd5a |
')
|
|
Chris PeBenito |
d15dd5a |
|
|
Chris PeBenito |
d15dd5a |
########################################
|
|
Chris PeBenito |
d15dd5a |
## <summary>
|
|
Chris PeBenito |
a5e2133 |
## Get the attributes of a pty filesystem
|
|
Chris PeBenito |
a5e2133 |
## </summary>
|
|
Chris PeBenito |
a5e2133 |
## <param name="domain">
|
|
Chris PeBenito |
a5e2133 |
## <summary>
|
|
Chris PeBenito |
a5e2133 |
## Domain allowed access.
|
|
Chris PeBenito |
a5e2133 |
## </summary>
|
|
Chris PeBenito |
a5e2133 |
## </param>
|
|
Chris PeBenito |
a5e2133 |
#
|
|
Chris PeBenito |
a5e2133 |
interface(`term_getattr_pty_fs',`
|
|
Chris PeBenito |
a5e2133 |
gen_require(`
|
|
Chris PeBenito |
a5e2133 |
type devpts_t;
|
|
Chris PeBenito |
a5e2133 |
')
|
|
Chris PeBenito |
a5e2133 |
|
|
Chris PeBenito |
a5e2133 |
allow $1 devpts_t:filesystem getattr;
|
|
Chris PeBenito |
a5e2133 |
')
|
|
Chris PeBenito |
a5e2133 |
|
|
Chris PeBenito |
a5e2133 |
########################################
|
|
Chris PeBenito |
a5e2133 |
## <summary>
|
|
Chris PeBenito |
0f707d5 |
## Do not audit attempts to get the
|
|
Chris PeBenito |
0f707d5 |
## attributes of the /dev/pts directory.
|
|
Chris PeBenito |
0f707d5 |
## </summary>
|
|
Chris PeBenito |
0f707d5 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
0f707d5 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
0f707d5 |
## </param>
|
|
Chris PeBenito |
0f707d5 |
#
|
|
Chris PeBenito |
1815bad |
interface(`term_dontaudit_getattr_pty_dirs',`
|
|
Chris PeBenito |
0f707d5 |
gen_require(`
|
|
Chris PeBenito |
0f707d5 |
type devpts_t;
|
|
Chris PeBenito |
0f707d5 |
')
|
|
Chris PeBenito |
0f707d5 |
|
|
Chris PeBenito |
0f707d5 |
dontaudit $1 devpts_t:dir getattr;
|
|
Chris PeBenito |
0f707d5 |
')
|
|
Chris PeBenito |
0f707d5 |
|
|
Chris PeBenito |
0f707d5 |
########################################
|
|
Chris PeBenito |
0f707d5 |
## <summary>
|
|
Chris PeBenito |
8428592 |
## Search the contents of the /dev/pts directory.
|
|
Chris PeBenito |
8428592 |
## </summary>
|
|
Chris PeBenito |
8428592 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
8428592 |
## </param>
|
|
Chris PeBenito |
8428592 |
#
|
|
Chris PeBenito |
8428592 |
interface(`term_search_ptys',`
|
|
Chris PeBenito |
8428592 |
gen_require(`
|
|
Chris PeBenito |
8428592 |
type devpts_t;
|
|
Chris PeBenito |
8428592 |
')
|
|
Chris PeBenito |
8428592 |
|
|
Chris PeBenito |
8428592 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
8428592 |
allow $1 devpts_t:dir search;
|
|
Chris PeBenito |
871b685 |
')
|
|
Chris PeBenito |
871b685 |
|
|
Chris PeBenito |
871b685 |
########################################
|
|
Chris PeBenito |
871b685 |
## <summary>
|
|
Chris PeBenito |
871b685 |
## Do not audit attempts to search the
|
|
Chris PeBenito |
871b685 |
## contents of the /dev/pts directory.
|
|
Chris PeBenito |
871b685 |
## </summary>
|
|
Chris PeBenito |
871b685 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
871b685 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
871b685 |
## </param>
|
|
Chris PeBenito |
871b685 |
#
|
|
Chris PeBenito |
871b685 |
interface(`term_dontaudit_search_ptys',`
|
|
Chris PeBenito |
871b685 |
gen_require(`
|
|
Chris PeBenito |
871b685 |
type devpts_t;
|
|
Chris PeBenito |
871b685 |
')
|
|
Chris PeBenito |
871b685 |
|
|
Chris PeBenito |
a5e2133 |
dev_dontaudit_list_all_dev_nodes($1)
|
|
Chris PeBenito |
871b685 |
dontaudit $1 devpts_t:dir search;
|
|
Chris PeBenito |
8428592 |
')
|
|
Chris PeBenito |
8428592 |
|
|
Chris PeBenito |
8428592 |
########################################
|
|
Chris PeBenito |
8428592 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read the /dev/pts directory to
|
|
Chris PeBenito |
414e415 |
## list all ptys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3ce6cb4 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_list_ptys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type devpts_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
3ce6cb4 |
')
|
|
Chris PeBenito |
3ce6cb4 |
|
|
Chris PeBenito |
3ce6cb4 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attempts to read the
|
|
Chris PeBenito |
5f38a65 |
## /dev/pts directory.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3ce6cb4 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_dontaudit_list_ptys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type devpts_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
0c73cd2 |
dontaudit $1 devpts_t:dir { getattr search read };
|
|
Chris PeBenito |
3ce6cb4 |
')
|
|
Chris PeBenito |
3ce6cb4 |
|
|
Chris PeBenito |
3ce6cb4 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
5f38a65 |
## Do not audit attempts to create, read,
|
|
Chris PeBenito |
5f38a65 |
## write, or delete the /dev/pts directory.
|
|
Chris PeBenito |
5f38a65 |
## </summary>
|
|
Chris PeBenito |
5f38a65 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
5f38a65 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
5f38a65 |
## </param>
|
|
Chris PeBenito |
5f38a65 |
#
|
|
Chris PeBenito |
1815bad |
interface(`term_dontaudit_manage_pty_dirs',`
|
|
Chris PeBenito |
5f38a65 |
gen_require(`
|
|
Chris PeBenito |
5f38a65 |
type devpts_t;
|
|
Chris PeBenito |
5f38a65 |
')
|
|
Chris PeBenito |
5f38a65 |
|
|
Chris PeBenito |
5f38a65 |
dontaudit $1 devpts_t:dir create_dir_perms;
|
|
Chris PeBenito |
5f38a65 |
')
|
|
Chris PeBenito |
5f38a65 |
|
|
Chris PeBenito |
5f38a65 |
########################################
|
|
Chris PeBenito |
5f38a65 |
## <summary>
|
|
Chris PeBenito |
e08118a |
## ioctl of generic pty types.
|
|
Chris PeBenito |
e08118a |
## </summary>
|
|
Chris PeBenito |
e08118a |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
e08118a |
## </param>
|
|
Chris PeBenito |
e08118a |
#
|
|
Chris PeBenito |
e08118a |
# cjp: added for ppp
|
|
Chris PeBenito |
1815bad |
interface(`term_ioctl_generic_ptys',`
|
|
Chris PeBenito |
e08118a |
gen_require(`
|
|
Chris PeBenito |
e08118a |
type devpts_t;
|
|
Chris PeBenito |
e08118a |
')
|
|
Chris PeBenito |
e08118a |
|
|
Chris PeBenito |
e08118a |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
e08118a |
allow $1 devpts_t:dir search;
|
|
Chris PeBenito |
e08118a |
allow $1 devpts_t:chr_file ioctl;
|
|
Chris PeBenito |
e08118a |
')
|
|
Chris PeBenito |
e08118a |
|
|
Chris PeBenito |
e08118a |
########################################
|
|
Chris PeBenito |
e08118a |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read and write the generic pty
|
|
Chris PeBenito |
414e415 |
## type. This is generally only used in
|
|
Chris PeBenito |
414e415 |
## the targeted policy.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
3ce6cb4 |
#
|
|
Chris PeBenito |
1815bad |
interface(`term_use_generic_ptys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type devpts_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
6716737 |
allow $1 devpts_t:dir list_dir_perms;
|
|
Chris PeBenito |
e6a2eaf |
allow $1 devpts_t:chr_file { rw_term_perms lock append };
|
|
Chris PeBenito |
3ce6cb4 |
')
|
|
Chris PeBenito |
3ce6cb4 |
|
|
Chris PeBenito |
de2cee6 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Dot not audit attempts to read and
|
|
Chris PeBenito |
414e415 |
## write the generic pty type. This is
|
|
Chris PeBenito |
414e415 |
## generally only used in the targeted policy.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b4cd153 |
#
|
|
Chris PeBenito |
1815bad |
interface(`term_dontaudit_use_generic_ptys',`
|
|
Chris PeBenito |
0e72169 |
gen_require(`
|
|
Chris PeBenito |
0e72169 |
type devpts_t;
|
|
Chris PeBenito |
0e72169 |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
87eb5c8 |
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
|
Chris PeBenito |
b4cd153 |
')
|
|
Chris PeBenito |
b4cd153 |
|
|
Chris PeBenito |
b4cd153 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read and write the controlling
|
|
Chris PeBenito |
414e415 |
## terminal (/dev/tty).
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b4cd153 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_use_controlling_term',`
|
|
Chris PeBenito |
0e72169 |
gen_require(`
|
|
Chris PeBenito |
0e72169 |
type devtty_t;
|
|
Chris PeBenito |
0e72169 |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
da4fc9c |
allow $1 devtty_t:chr_file { rw_term_perms lock append };
|
|
Chris PeBenito |
8119850 |
')
|
|
Chris PeBenito |
8119850 |
|
|
Chris PeBenito |
8119850 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
e08118a |
## Read and write the pty multiplexor (/dev/ptmx).
|
|
Chris PeBenito |
e08118a |
## </summary>
|
|
Chris PeBenito |
e08118a |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
e08118a |
## The type of the process to allow access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
e08118a |
## </param>
|
|
Chris PeBenito |
e08118a |
#
|
|
Chris PeBenito |
e08118a |
interface(`term_use_ptmx',`
|
|
Chris PeBenito |
e08118a |
gen_require(`
|
|
Chris PeBenito |
e08118a |
type ptmx_t;
|
|
Chris PeBenito |
e08118a |
')
|
|
Chris PeBenito |
e08118a |
|
|
Chris PeBenito |
e08118a |
allow $1 ptmx_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
e08118a |
')
|
|
Chris PeBenito |
e08118a |
|
|
Chris PeBenito |
e08118a |
########################################
|
|
Chris PeBenito |
e08118a |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attempts to read and
|
|
Chris PeBenito |
414e415 |
## write the pty multiplexor (/dev/ptmx).
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
8119850 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_dontaudit_use_ptmx',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type ptmx_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
0c73cd2 |
dontaudit $1 ptmx_t:chr_file { getattr read write };
|
|
Chris PeBenito |
55a46da |
')
|
|
Chris PeBenito |
55a46da |
|
|
Chris PeBenito |
55a46da |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Get the attributes of all user
|
|
Chris PeBenito |
414e415 |
## pty device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b4cd153 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_getattr_all_user_ptys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ptynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd2 |
allow $1 ptynode:chr_file getattr;
|
|
Chris PeBenito |
b4cd153 |
')
|
|
Chris PeBenito |
b4cd153 |
|
|
Chris PeBenito |
7bba9d3 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
d9fd8e7 |
## Do not audit attempts to get the
|
|
Chris PeBenito |
d9fd8e7 |
## attributes of any user pty
|
|
Chris PeBenito |
d9fd8e7 |
## device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
d9fd8e7 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
d9fd8e7 |
## </param>
|
|
Chris PeBenito |
d9fd8e7 |
#
|
|
Chris PeBenito |
d9fd8e7 |
interface(`term_dontaudit_getattr_all_user_ptys',`
|
|
Chris PeBenito |
d9fd8e7 |
gen_require(`
|
|
Chris PeBenito |
d9fd8e7 |
attribute ptynode;
|
|
Chris PeBenito |
d9fd8e7 |
')
|
|
Chris PeBenito |
d9fd8e7 |
|
|
Chris PeBenito |
d9fd8e7 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
d9fd8e7 |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
d9fd8e7 |
dontaudit $1 ptynode:chr_file getattr;
|
|
Chris PeBenito |
d9fd8e7 |
')
|
|
Chris PeBenito |
d9fd8e7 |
|
|
Chris PeBenito |
d9fd8e7 |
########################################
|
|
Chris PeBenito |
e5590ea |
## <summary>
|
|
Chris PeBenito |
e5590ea |
## Set the attributes of all user
|
|
Chris PeBenito |
e5590ea |
## pty device nodes.
|
|
Chris PeBenito |
e5590ea |
## </summary>
|
|
Chris PeBenito |
e5590ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
e5590ea |
## </param>
|
|
Chris PeBenito |
e5590ea |
#
|
|
Chris PeBenito |
e5590ea |
interface(`term_setattr_all_user_ptys',`
|
|
Chris PeBenito |
e5590ea |
gen_require(`
|
|
Chris PeBenito |
e5590ea |
attribute ptynode;
|
|
Chris PeBenito |
e5590ea |
')
|
|
Chris PeBenito |
e5590ea |
|
|
Chris PeBenito |
e5590ea |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
e5590ea |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
e5590ea |
allow $1 ptynode:chr_file setattr;
|
|
Chris PeBenito |
e5590ea |
')
|
|
Chris PeBenito |
e5590ea |
|
|
Chris PeBenito |
e5590ea |
########################################
|
|
Chris PeBenito |
e5590ea |
## <summary>
|
|
Chris PeBenito |
e5590ea |
## Relabel to all user ptys.
|
|
Chris PeBenito |
e5590ea |
## </summary>
|
|
Chris PeBenito |
e5590ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
e5590ea |
## </param>
|
|
Chris PeBenito |
e5590ea |
#
|
|
Chris PeBenito |
e5590ea |
interface(`term_relabelto_all_user_ptys',`
|
|
Chris PeBenito |
e5590ea |
gen_require(`
|
|
Chris PeBenito |
e5590ea |
attribute ptynode;
|
|
Chris PeBenito |
e5590ea |
')
|
|
Chris PeBenito |
e5590ea |
|
|
Chris PeBenito |
e5590ea |
allow $1 ptynode:chr_file relabelto;
|
|
Chris PeBenito |
e5590ea |
')
|
|
Chris PeBenito |
e5590ea |
|
|
Chris PeBenito |
e5590ea |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read and write all user ptys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
7bba9d3 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_use_all_user_ptys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ptynode;
|
|
Chris PeBenito |
41c4800 |
type devpts_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
e6a2eaf |
allow $1 ptynode:chr_file { rw_term_perms lock append };
|
|
Chris PeBenito |
7bba9d3 |
')
|
|
Chris PeBenito |
7bba9d3 |
|
|
Chris PeBenito |
d0eddb6 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attempts to read any
|
|
Chris PeBenito |
414e415 |
## user ptys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
d0eddb6 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_dontaudit_use_all_user_ptys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ptynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
1f8a8bb |
dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
|
|
Chris PeBenito |
d0eddb6 |
')
|
|
Chris PeBenito |
d0eddb6 |
|
|
Chris PeBenito |
b4cd153 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Relabel from and to all user
|
|
Chris PeBenito |
414e415 |
## user pty device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
21871a5 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_relabel_all_user_ptys',`
|
|
Chris PeBenito |
21871a5 |
gen_require(`
|
|
Chris PeBenito |
21871a5 |
attribute ptynode;
|
|
Chris PeBenito |
df00b2e |
type devpts_t;
|
|
Chris PeBenito |
21871a5 |
')
|
|
Chris PeBenito |
21871a5 |
|
|
Chris PeBenito |
21871a5 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
df00b2e |
allow $1 devpts_t:dir search;
|
|
Chris PeBenito |
21871a5 |
allow $1 ptynode:chr_file { relabelfrom relabelto };
|
|
Chris PeBenito |
21871a5 |
')
|
|
Chris PeBenito |
21871a5 |
|
|
Chris PeBenito |
21871a5 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Get the attributes of all unallocated
|
|
Chris PeBenito |
414e415 |
## tty device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
7bba9d3 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_getattr_unallocated_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 tty_device_t:chr_file getattr;
|
|
Chris PeBenito |
7bba9d3 |
')
|
|
Chris PeBenito |
7bba9d3 |
|
|
Chris PeBenito |
7bba9d3 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
a5f339f |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
a5f339f |
## of all unallocated tty device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
a5f339f |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
a5f339f |
## </param>
|
|
Chris PeBenito |
a5f339f |
#
|
|
Chris PeBenito |
a5f339f |
interface(`term_dontaudit_getattr_unallocated_ttys',`
|
|
Chris PeBenito |
a5f339f |
gen_require(`
|
|
Chris PeBenito |
a5f339f |
type tty_device_t;
|
|
Chris PeBenito |
a5f339f |
')
|
|
Chris PeBenito |
a5f339f |
|
|
Chris PeBenito |
a5f339f |
dontaudit $1 tty_device_t:chr_file getattr;
|
|
Chris PeBenito |
a5f339f |
')
|
|
Chris PeBenito |
a5f339f |
|
|
Chris PeBenito |
a5f339f |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Set the attributes of all unallocated
|
|
Chris PeBenito |
414e415 |
## tty device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
7bba9d3 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_setattr_unallocated_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 tty_device_t:chr_file setattr;
|
|
Chris PeBenito |
7bba9d3 |
')
|
|
Chris PeBenito |
7bba9d3 |
|
|
Chris PeBenito |
7bba9d3 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
ce6bf7c |
## Do not audit attempts to set the attributes
|
|
Chris PeBenito |
ce6bf7c |
## of unallocated tty device nodes.
|
|
Chris PeBenito |
ce6bf7c |
## </summary>
|
|
Chris PeBenito |
ce6bf7c |
## <param name="domain">
|
|
Chris PeBenito |
ce6bf7c |
## <summary>
|
|
Chris PeBenito |
ce6bf7c |
## Domain allowed access.
|
|
Chris PeBenito |
ce6bf7c |
## </summary>
|
|
Chris PeBenito |
ce6bf7c |
## </param>
|
|
Chris PeBenito |
ce6bf7c |
#
|
|
Chris PeBenito |
ce6bf7c |
interface(`term_dontaudit_setattr_unallocated_ttys',`
|
|
Chris PeBenito |
ce6bf7c |
gen_require(`
|
|
Chris PeBenito |
ce6bf7c |
type tty_device_t;
|
|
Chris PeBenito |
ce6bf7c |
')
|
|
Chris PeBenito |
ce6bf7c |
|
|
Chris PeBenito |
ce6bf7c |
dontaudit $1 tty_device_t:chr_file setattr;
|
|
Chris PeBenito |
ce6bf7c |
')
|
|
Chris PeBenito |
ce6bf7c |
|
|
Chris PeBenito |
ce6bf7c |
########################################
|
|
Chris PeBenito |
ce6bf7c |
## <summary>
|
|
Chris PeBenito |
9cca1cd |
## Do not audit attempts to ioctl
|
|
Chris PeBenito |
9cca1cd |
## unallocated tty device nodes.
|
|
Chris PeBenito |
9cca1cd |
## </summary>
|
|
Chris PeBenito |
9cca1cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
9cca1cd |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
9cca1cd |
## </param>
|
|
Chris PeBenito |
9cca1cd |
#
|
|
Chris PeBenito |
9cca1cd |
interface(`term_dontaudit_ioctl_unallocated_ttys',`
|
|
Chris PeBenito |
9cca1cd |
gen_require(`
|
|
Chris PeBenito |
9cca1cd |
type tty_device_t;
|
|
Chris PeBenito |
9cca1cd |
')
|
|
Chris PeBenito |
9cca1cd |
|
|
Chris PeBenito |
9cca1cd |
dontaudit $1 tty_device_t:chr_file ioctl;
|
|
Chris PeBenito |
9cca1cd |
')
|
|
Chris PeBenito |
9cca1cd |
|
|
Chris PeBenito |
9cca1cd |
########################################
|
|
Chris PeBenito |
9cca1cd |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Relabel from and to the unallocated
|
|
Chris PeBenito |
414e415 |
## tty type.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
4bf4ed9 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_relabel_unallocated_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
|
Chris PeBenito |
4bf4ed9 |
')
|
|
Chris PeBenito |
4bf4ed9 |
|
|
Chris PeBenito |
4bf4ed9 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Relabel from all user tty types to
|
|
Chris PeBenito |
414e415 |
## the unallocated tty type.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
b4cd153 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_reset_tty_labels',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 ttynode:chr_file relabelfrom;
|
|
Chris PeBenito |
0c73cd2 |
allow $1 tty_device_t:chr_file relabelto;
|
|
Chris PeBenito |
b4cd153 |
')
|
|
Chris PeBenito |
b4cd153 |
|
|
Chris PeBenito |
b4cd153 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
ce6bf7c |
## Append to unallocated ttys.
|
|
Chris PeBenito |
ce6bf7c |
## </summary>
|
|
Chris PeBenito |
ce6bf7c |
## <param name="domain">
|
|
Chris PeBenito |
ce6bf7c |
## <summary>
|
|
Chris PeBenito |
ce6bf7c |
## Domain allowed access.
|
|
Chris PeBenito |
ce6bf7c |
## </summary>
|
|
Chris PeBenito |
ce6bf7c |
## </param>
|
|
Chris PeBenito |
ce6bf7c |
#
|
|
Chris PeBenito |
ce6bf7c |
interface(`term_append_unallocated_ttys',`
|
|
Chris PeBenito |
ce6bf7c |
gen_require(`
|
|
Chris PeBenito |
ce6bf7c |
type tty_device_t;
|
|
Chris PeBenito |
ce6bf7c |
')
|
|
Chris PeBenito |
ce6bf7c |
|
|
Chris PeBenito |
ce6bf7c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
ce6bf7c |
allow $1 tty_device_t:chr_file { getattr append };
|
|
Chris PeBenito |
ce6bf7c |
')
|
|
Chris PeBenito |
ce6bf7c |
|
|
Chris PeBenito |
ce6bf7c |
########################################
|
|
Chris PeBenito |
ce6bf7c |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Write to unallocated ttys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
daa0e0b |
#
|
|
Chris PeBenito |
199895e |
interface(`term_write_unallocated_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 tty_device_t:chr_file { getattr write };
|
|
Chris PeBenito |
daa0e0b |
')
|
|
Chris PeBenito |
daa0e0b |
|
|
Chris PeBenito |
daa0e0b |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read and write unallocated ttys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
de2cee6 |
#
|
|
Chris PeBenito |
1815bad |
interface(`term_use_unallocated_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
da4fc9c |
allow $1 tty_device_t:chr_file { rw_term_perms lock append };
|
|
Chris PeBenito |
de2cee6 |
')
|
|
Chris PeBenito |
de2cee6 |
|
|
Chris PeBenito |
de2cee6 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attempts to read or
|
|
Chris PeBenito |
414e415 |
## write unallocated ttys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
414e415 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
de2cee6 |
#
|
|
Chris PeBenito |
1815bad |
interface(`term_dontaudit_use_unallocated_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
type tty_device_t;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
0c73cd2 |
dontaudit $1 tty_device_t:chr_file { read write };
|
|
Chris PeBenito |
de2cee6 |
')
|
|
Chris PeBenito |
de2cee6 |
|
|
Chris PeBenito |
de2cee6 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Get the attributes of all user tty
|
|
Chris PeBenito |
414e415 |
## device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
de2cee6 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_getattr_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 ttynode:chr_file getattr;
|
|
Chris PeBenito |
ee5772e |
')
|
|
Chris PeBenito |
ee5772e |
|
|
Chris PeBenito |
ee5772e |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attempts to get the
|
|
Chris PeBenito |
414e415 |
## attributes of any user tty
|
|
Chris PeBenito |
414e415 |
## device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
ee5772e |
#
|
|
Chris PeBenito |
199895e |
interface(`term_dontaudit_getattr_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
eda201e |
dontaudit $1 ttynode:chr_file getattr;
|
|
Chris PeBenito |
4bf4ed9 |
')
|
|
Chris PeBenito |
4bf4ed9 |
|
|
Chris PeBenito |
4bf4ed9 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Set the attributes of all user tty
|
|
Chris PeBenito |
414e415 |
## device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
4bf4ed9 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_setattr_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
c9428d3 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
eda201e |
allow $1 ttynode:chr_file setattr;
|
|
Chris PeBenito |
b4cd153 |
')
|
|
Chris PeBenito |
b4cd153 |
|
|
Chris PeBenito |
a2d8246 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Relabel from and to all user
|
|
Chris PeBenito |
414e415 |
## user tty device nodes.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
4bf4ed9 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_relabel_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
|
Chris PeBenito |
4bf4ed9 |
')
|
|
Chris PeBenito |
4bf4ed9 |
|
|
Chris PeBenito |
4bf4ed9 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Write to all user ttys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
daa0e0b |
#
|
|
Chris PeBenito |
199895e |
interface(`term_write_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd2 |
allow $1 ttynode:chr_file { getattr write };
|
|
Chris PeBenito |
daa0e0b |
')
|
|
Chris PeBenito |
daa0e0b |
|
|
Chris PeBenito |
daa0e0b |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Read and write all user to all user ttys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
a2d8246 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_use_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Karl MacMillan |
f0c985c |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
e6a2eaf |
allow $1 ttynode:chr_file { rw_term_perms lock append };
|
|
Chris PeBenito |
a2d8246 |
')
|
|
Chris PeBenito |
a2d8246 |
|
|
Chris PeBenito |
de2cee6 |
########################################
|
|
Chris PeBenito |
f7ebea0 |
## <summary>
|
|
Chris PeBenito |
414e415 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
414e415 |
## any user ttys.
|
|
Chris PeBenito |
f7ebea0 |
## </summary>
|
|
Chris PeBenito |
414e415 |
## <param name="domain">
|
|
Chris PeBenito |
885b83e |
## <summary>
|
|
Chris PeBenito |
725926c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83e |
## </summary>
|
|
Chris PeBenito |
414e415 |
## </param>
|
|
Chris PeBenito |
de2cee6 |
#
|
|
Chris PeBenito |
199895e |
interface(`term_dontaudit_use_all_user_ttys',`
|
|
Chris PeBenito |
a7c3a1b |
gen_require(`
|
|
Chris PeBenito |
a7c3a1b |
attribute ttynode;
|
|
Chris PeBenito |
a7c3a1b |
')
|
|
Chris PeBenito |
0c73cd2 |
|
|
Chris PeBenito |
0c73cd2 |
dontaudit $1 ttynode:chr_file { read write };
|
|
Chris PeBenito |
de2cee6 |
')
|