#DESC sulogin - Single-User login

#

# Authors:  Dan Walsh <dwalsh@redhat.com>

#

# X-Debian-Packages: sysvinit

#################################

# 

# Rules for the sulogin_t domain

#

type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth;

type sulogin_exec_t, file_type, exec_type, sysadmfile;

role system_r types sulogin_t;

general_domain_access(sulogin_t)

domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)

allow sulogin_t initrc_t:process getpgid;

uses_shlib(sulogin_t)

# suse and debian do not use pam with sulogin...

ifdef(`distro_suse', `

define(`sulogin_no_pam', `')

')

ifdef(`distro_debian', `

define(`sulogin_no_pam', `')

')

ifdef(`sulogin_no_pam', `

domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)

allow sulogin_t init_t:process getpgid;

allow sulogin_t self:capability sys_tty_config;

', `

domain_trans(sulogin_t, shell_exec_t, sysadm_t)

allow sulogin_t shell_exec_t:file r_file_perms;

can_setexec(sulogin_t)

can_getsecurity(sulogin_t)

')

r_dir_file(sulogin_t, etc_t)

allow sulogin_t bin_t:dir r_dir_perms;

r_dir_file(sulogin_t, proc_t)

allow sulogin_t root_t:dir search;

allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };

allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;

allow sulogin_t default_context_t:dir search;

allow sulogin_t default_context_t:file { getattr read };

r_dir_file(sulogin_t, selinux_config_t)

# because file systems are not mounted

dontaudit sulogin_t file_t:dir search;