|
Chris PeBenito |
0fbfa5 |
#DESC Pamconsole - PAM console
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# pam_console_apply
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0907bd |
daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type pam_var_console_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t etc_t:file { getattr read ioctl };
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0907bd |
# Read /etc/mtab
|
|
Chris PeBenito |
0907bd |
allow pam_console_t etc_runtime_t:file { read getattr };
|
|
Chris PeBenito |
0907bd |
|
|
Chris PeBenito |
0907bd |
# Read /proc/meminfo
|
|
Chris PeBenito |
0907bd |
allow pam_console_t proc_t:file { read getattr };
|
|
Chris PeBenito |
0907bd |
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t self:capability { chown fowner fsetid };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to /dev/console through the fd:
|
|
Chris PeBenito |
0907bd |
allow pam_console_t console_device_t:chr_file { read write setattr };
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t { kernel_t init_t }:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for /var/run/console.lock checking
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t { var_t var_run_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(pam_console_t, pam_var_console_t)
|
|
Chris PeBenito |
77f6e2 |
dontaudit pam_console_t pam_var_console_t:file write;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow to set attributes on /dev entries
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t device_t:dir { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t device_t:lnk_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
# mouse_device_t is for joy sticks
|
|
Chris PeBenito |
cf6a7d |
allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t mnt_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gpm.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`hotplug.te', `
|
|
Chris PeBenito |
0fbfa5 |
dontaudit pam_console_t hotplug_etc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t hotplug_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`xdm.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t xdm_var_run_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
a1fcff |
allow initrc_t pam_var_console_t:dir rw_dir_perms;
|
|
Chris PeBenito |
a1fcff |
allow initrc_t pam_var_console_t:file unlink;
|
|
Chris PeBenito |
0fbfa5 |
allow pam_console_t file_context_t:file { getattr read };
|
|
Chris PeBenito |
77f6e2 |
nsswitch_domain(pam_console_t)
|