rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   ec848d247f563b01bb7338b2ef8a00c00c67c0bc
  2.   strict
  3.   macros
  4.   program
  5.   gph_macros.te
Blob Blame History Raw 
#
# Macros for gnome-pty-helper domains.
#

#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser 
#

#
# gph_domain(domain_prefix, role_prefix)
#
# Define a derived domain for the gnome-pty-helper program when
# executed by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/gnome-pty-helper.te. 
#
# The *_gph_t domains are for the gnome_pty_helper program.
# This program is executed by gnome-terminal to handle
# updates to utmp and wtmp.  In this regard, it is similar
# to utempter.  However, unlike utempter, gnome-pty-helper
# also creates the pty file for the terminal program.
# There is one *_gph_t domain for each user domain.  
#
undefine(`gph_domain')
define(`gph_domain',`
# Derived domain based on the calling user domain and the program.
type $1_gph_t, domain, gphdomain, nscd_client_domain;

# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gph_exec_t, $1_gph_t)

# The user role is authorized for this domain.
role $2_r types $1_gph_t;

# This domain is granted permissions common to most domains.
uses_shlib($1_gph_t)

# Use capabilities.
allow $1_gph_t self:capability { chown fsetid setgid setuid };

# Update /var/run/utmp and /var/log/wtmp.
allow $1_gph_t { var_t var_run_t }:dir search;
allow $1_gph_t initrc_var_run_t:file rw_file_perms;
allow $1_gph_t wtmp_t:file rw_file_perms;

# Allow gph to rw to stream sockets of appropriate user type.
# (Need this so gnome-pty-helper can pass pty fd to parent 
#  gnome-terminal which is running in a user domain.)
allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;

allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;

# Allow user domain to use pty fd from gnome-pty-helper.
allow $1_t $1_gph_t:fd use;

# Use the network, e.g. for NIS lookups.
can_resolve($1_gph_t)
can_ypbind($1_gph_t)

allow $1_gph_t etc_t:file { getattr read };

# Added by David A. Wheeler:
# Allow gnome-pty-helper to update /var/log/lastlog
# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
allow $1_gph_t lastlog_t:file rw_file_perms;
allow $1_gph_t var_log_t:dir search;
allow $1_t $1_gph_t:process signal;

ifelse($2, `system', `
# Create ptys for the system
can_create_other_pty($1_gph, initrc)
', `
# Create ptys for the user domain.
can_create_other_pty($1_gph, $1)

# Read and write the users tty.
allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;

# Allow gnome-pty-helper to write the .xsession-errors file.
allow $1_gph_t home_root_t:dir search;
allow $1_gph_t $1_home_t:dir { search add_name };
allow $1_gph_t $1_home_t:file { create write };
')dnl end ifelse system
')dnl end macro

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation