#

# Macros for gnome-pty-helper domains.

#

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser 

#

#

# gph_domain(domain_prefix, role_prefix)

#

# Define a derived domain for the gnome-pty-helper program when

# executed by a user domain.

#

# The type declaration for the executable type for this program is

# provided separately in domains/program/gnome-pty-helper.te. 

#

# The *_gph_t domains are for the gnome_pty_helper program.

# This program is executed by gnome-terminal to handle

# updates to utmp and wtmp.  In this regard, it is similar

# to utempter.  However, unlike utempter, gnome-pty-helper

# also creates the pty file for the terminal program.

# There is one *_gph_t domain for each user domain.  

#

undefine(`gph_domain')

define(`gph_domain',`

# Derived domain based on the calling user domain and the program.

type $1_gph_t, domain, gphdomain, nscd_client_domain;

# Transition from the user domain to the derived domain.

domain_auto_trans($1_t, gph_exec_t, $1_gph_t)

# The user role is authorized for this domain.

role $2_r types $1_gph_t;

# This domain is granted permissions common to most domains.

uses_shlib($1_gph_t)

# Use capabilities.

allow $1_gph_t self:capability { chown fsetid setgid setuid };

# Update /var/run/utmp and /var/log/wtmp.

allow $1_gph_t { var_t var_run_t }:dir search;

allow $1_gph_t initrc_var_run_t:file rw_file_perms;

allow $1_gph_t wtmp_t:file rw_file_perms;

# Allow gph to rw to stream sockets of appropriate user type.

# (Need this so gnome-pty-helper can pass pty fd to parent 

#  gnome-terminal which is running in a user domain.)

allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;

allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;

# Allow user domain to use pty fd from gnome-pty-helper.

allow $1_t $1_gph_t:fd use;

# Use the network, e.g. for NIS lookups.

can_resolve($1_gph_t)

can_ypbind($1_gph_t)

allow $1_gph_t etc_t:file { getattr read };

# Added by David A. Wheeler:

# Allow gnome-pty-helper to update /var/log/lastlog

# (the gnome-pty-helper in Red Hat Linux 7.1 does this):

allow $1_gph_t lastlog_t:file rw_file_perms;

allow $1_gph_t var_log_t:dir search;

allow $1_t $1_gph_t:process signal;

ifelse($2, `system', `

# Create ptys for the system

can_create_other_pty($1_gph, initrc)

', `

# Create ptys for the user domain.

can_create_other_pty($1_gph, $1)

# Read and write the users tty.

allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;

# Allow gnome-pty-helper to write the .xsession-errors file.

allow $1_gph_t home_root_t:dir search;

allow $1_gph_t $1_home_t:dir { search add_name };

allow $1_gph_t $1_home_t:file { create write };

')dnl end ifelse system

')dnl end macro