#DESC Utempter - Privileged helper for utmp/wtmp updates

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  

# X-Debian-Packages:

#

#################################

#

# Rules for the utempter_t domain.

#

# This is the domain for the utempter program.  utempter is

# executed by xterm to update utmp and wtmp.

# utempter_exec_t is the type of the utempter binary.

#

type utempter_t, domain, nscd_client_domain;

in_user_role(utempter_t)

role sysadm_r types utempter_t;

uses_shlib(utempter_t)

type utempter_exec_t, file_type, sysadmfile, exec_type;

domain_auto_trans(userdomain, utempter_exec_t, utempter_t)

# Use capabilities.

allow utempter_t self:capability setgid;

allow utempter_t etc_t:file { getattr read };

# Update /var/run/utmp and /var/log/wtmp.

allow utempter_t initrc_var_run_t:file rw_file_perms;

allow utempter_t var_log_t:dir search;

allow utempter_t wtmp_t:file rw_file_perms;

# dontaudit access to /dev/ptmx.

dontaudit utempter_t ptmx_t:chr_file rw_file_perms;

dontaudit utempter_t sysadm_devpts_t:chr_file { read write };

# Allow utemper to write to /tmp/.xses-*

allow utempter_t user_tmpfile:file { getattr write append };

# Inherit and use descriptors from login.

allow utempter_t privfd:fd use;

ifdef(`xdm.te', `

allow utempter_t xdm_t:fd use;

allow utempter_t xdm_t:fifo_file { write getattr };

')

allow utempter_t self:unix_stream_socket create_stream_socket_perms;

# Access terminals.

allow utempter_t ttyfile:chr_file getattr;

allow utempter_t ptyfile:chr_file getattr;

allow utempter_t devpts_t:dir search;

dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write };