Policy for terminals.

## ## Depended on by other required modules. ## ######################################## ##

## Transform specified type into a pty type. ##

## ##

## An object type that will applied to a pty. ##

## # interface(`term_pty',` gen_require(` attribute ptynode; type devpts_t; ') files_type($1) allow $1 devpts_t:filesystem associate; typeattribute $1 ptynode; ') ######################################## ##

## Transform specified type into an user ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. ##

## ##

## The type of the user domain associated with ## this pty. ##

## ## ##

## An object type that will applied to a pty. ##

## # interface(`term_user_pty',` gen_require(` attribute server_ptynode; ') term_pty($2) type_change $1 server_ptynode:chr_file $2; ') ######################################## ##

## Transform specified type into a pty type ## used by login programs, such as sshd. ##

## ##

## An object type that will applied to a pty. ##

## # interface(`term_login_pty',` gen_require(` attribute server_ptynode; ') term_pty($1) typeattribute $1 server_ptynode; ') ######################################## ##

## Transform specified type into a tty type. ##

## ##

## An object type that will applied to a tty. ##

## # interface(`term_tty',` gen_require(` attribute ttynode, serial_device; type tty_device_t; ') typeattribute $2 ttynode, serial_device; type_change $1 tty_device_t:chr_file $2; fs_associate($1) files_associate_tmp($1) # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! ifdef(`distro_debian',` type_change $1 ttynode:chr_file $2; ') ifdef(`distro_gentoo',` fs_associate_tmpfs($2) ') ifdef(`distro_redhat',` fs_associate_tmpfs($2) ') ') ######################################## ##

## Create a pty in the /dev/pts directory. ##

## ##

## The type of the process creating the pty. ##

## ## ##

## The type of the pty. ##

## # interface(`term_create_pty',` gen_require(` type bsdpty_device_t, devpts_t, ptmx_t; ') dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; allow $1 devpts_t:dir r_dir_perms; allow $1 devpts_t:filesystem getattr; dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; type_transition $1 devpts_t:chr_file $2; ') ######################################## ##

## Read and write the console, all ## ttys and all ptys. ##

## ##

## Domain allowed access. ##

## # interface(`term_use_all_terms',` gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; ') ######################################## ##

## Write to the console. ##

## ##

## Domain allowed access. ##

## # interface(`term_write_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file { getattr write append }; ') ######################################## ##

## Read from the console. ##

## ##

## Domain allowed access. ##

## # interface(`term_read_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file read; ') ######################################## ##

## Read from and write to the console. ##

## ##

## Domain allowed access. ##

## # interface(`term_use_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file rw_file_perms; ') ######################################## ##

## Do not audit attemtps to read from ## or write to the console. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; ') dontaudit $1 console_device_t:chr_file rw_file_perms; ') ######################################## ##

## Set the attributes of the console ## device node. ##

## ##

## Domain allowed access. ##

## # interface(`term_setattr_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file setattr; ') ######################################## ##

## Create the console device (/dev/console). ##

## ##

## Domain allowed access. ##

## # interface(`term_create_console_dev',` gen_require(` type device_t, console_device_t; ') allow $1 device_t:dir add_entry_dir_perms; allow $1 console_device_t:chr_file create; allow $1 self:capability mknod; ') ######################################## ##

## Get the attributes of a pty filesystem ##

## ##

## Domain allowed access. ##

## # interface(`term_getattr_pty_fs',` gen_require(` type devpts_t; ') allow $1 devpts_t:filesystem getattr; ') ######################################## ##

## Do not audit attempts to get the ## attributes of the /dev/pts directory. ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_getattr_pty_dirs',` gen_require(` type devpts_t; ') dontaudit $1 devpts_t:dir getattr; ') ######################################## ##

## Search the contents of the /dev/pts directory. ##

## ##

## Domain allowed access. ##

## # interface(`term_search_ptys',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; ') ######################################## ##

## Do not audit attempts to search the ## contents of the /dev/pts directory. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_search_ptys',` gen_require(` type devpts_t; ') dev_dontaudit_list_all_dev_nodes($1) dontaudit $1 devpts_t:dir search; ') ######################################## ##

## Read the /dev/pts directory to ## list all ptys. ##

## ##

## Domain allowed access. ##

## # interface(`term_list_ptys',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; ') ######################################## ##

## Do not audit attempts to read the ## /dev/pts directory. ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_list_ptys',` gen_require(` type devpts_t; ') dontaudit $1 devpts_t:dir { getattr search read }; ') ######################################## ##

## Do not audit attempts to create, read, ## write, or delete the /dev/pts directory. ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_manage_pty_dirs',` gen_require(` type devpts_t; ') dontaudit $1 devpts_t:dir create_dir_perms; ') ######################################## ##

## ioctl of generic pty types. ##

## ##

## Domain allowed access. ##

## # # cjp: added for ppp interface(`term_ioctl_generic_ptys',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; allow $1 devpts_t:chr_file ioctl; ') ######################################## ##

## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. ##

## ##

## Domain allowed access. ##

## # interface(`term_use_generic_ptys',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Dot not audit attempts to read and ## write the generic pty type. This is ## generally only used in the targeted policy. ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_use_generic_ptys',` gen_require(` type devpts_t; ') dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') ######################################## ##

## Read and write the controlling ## terminal (/dev/tty). ##

## ##

## Domain allowed access. ##

## # interface(`term_use_controlling_term',` gen_require(` type devtty_t; ') dev_list_all_dev_nodes($1) allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Read and write the pty multiplexor (/dev/ptmx). ##

## ##

## The type of the process to allow access. ##

## # interface(`term_use_ptmx',` gen_require(` type ptmx_t; ') allow $1 ptmx_t:chr_file rw_file_perms; ') ######################################## ##

## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx). ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_use_ptmx',` gen_require(` type ptmx_t; ') dontaudit $1 ptmx_t:chr_file { getattr read write }; ') ######################################## ##

## Get the attributes of all user ## pty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_getattr_all_user_ptys',` gen_require(` attribute ptynode; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file getattr; ') ######################################## ##

## Do not audit attempts to get the ## attributes of any user pty ## device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_getattr_all_user_ptys',` gen_require(` attribute ptynode; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; dontaudit $1 ptynode:chr_file getattr; ') ######################################## ##

## Set the attributes of all user ## pty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_setattr_all_user_ptys',` gen_require(` attribute ptynode; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file setattr; ') ######################################## ##

## Relabel to all user ptys. ##

## ##

## Domain allowed access. ##

## # interface(`term_relabelto_all_user_ptys',` gen_require(` attribute ptynode; ') allow $1 ptynode:chr_file relabelto; ') ######################################## ##

## Read and write all user ptys. ##

## ##

## Domain allowed access. ##

## # interface(`term_use_all_user_ptys',` gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Do not audit attempts to read any ## user ptys. ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_use_all_user_ptys',` gen_require(` attribute ptynode; ') dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Relabel from and to all user ## user pty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_relabel_all_user_ptys',` gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; allow $1 ptynode:chr_file { relabelfrom relabelto }; ') ######################################## ##

## Get the attributes of all unallocated ## tty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_getattr_unallocated_ttys',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file getattr; ') ######################################## ##

## Do not audit attempts to get the attributes ## of all unallocated tty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_getattr_unallocated_ttys',` gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file getattr; ') ######################################## ##

## Set the attributes of all unallocated ## tty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_setattr_unallocated_ttys',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file setattr; ') ######################################## ##

## Do not audit attempts to set the attributes ## of unallocated tty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_setattr_unallocated_ttys',` gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file setattr; ') ######################################## ##

## Do not audit attempts to ioctl ## unallocated tty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_ioctl_unallocated_ttys',` gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file ioctl; ') ######################################## ##

## Relabel from and to the unallocated ## tty type. ##

## ##

## Domain allowed access. ##

## # interface(`term_relabel_unallocated_ttys',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ') ######################################## ##

## Relabel from all user tty types to ## the unallocated tty type. ##

## ##

## Domain allowed access. ##

## # interface(`term_reset_tty_labels',` gen_require(` attribute ttynode; type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file relabelfrom; allow $1 tty_device_t:chr_file relabelto; ') ######################################## ##

## Append to unallocated ttys. ##

## ##

## Domain allowed access. ##

## # interface(`term_append_unallocated_ttys',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr append }; ') ######################################## ##

## Write to unallocated ttys. ##

## ##

## Domain allowed access. ##

## # interface(`term_write_unallocated_ttys',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr write }; ') ######################################## ##

## Read and write unallocated ttys. ##

## ##

## Domain allowed access. ##

## # interface(`term_use_unallocated_ttys',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Do not audit attempts to read or ## write unallocated ttys. ##

## ##

## The type of the process to not audit. ##

## # interface(`term_dontaudit_use_unallocated_ttys',` gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file { read write }; ') ######################################## ##

## Get the attributes of all user tty ## device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_getattr_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; ') ######################################## ##

## Do not audit attempts to get the ## attributes of any user tty ## device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_getattr_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; ') ######################################## ##

## Set the attributes of all user tty ## device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_setattr_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file setattr; ') ######################################## ##

## Relabel from and to all user ## user tty device nodes. ##

## ##

## Domain allowed access. ##

## # interface(`term_relabel_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { relabelfrom relabelto }; ') ######################################## ##

## Write to all user ttys. ##

## ##

## Domain allowed access. ##

## # interface(`term_write_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { getattr write }; ') ######################################## ##

## Read and write all user to all user ttys. ##

## ##

## Domain allowed access. ##

## # interface(`term_use_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Do not audit attempts to read or write ## any user ttys. ##

## ##

## Domain allowed access. ##

## # interface(`term_dontaudit_use_all_user_ttys',` gen_require(` attribute ttynode; ') dontaudit $1 ttynode:chr_file { read write }; ')