#DESC Utempter - Privileged helper for utmp/wtmp updates
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages:
#

#################################
#
# Rules for the utempter_t domain.
#
# This is the domain for the utempter program.  utempter is
# executed by xterm to update utmp and wtmp.
# utempter_exec_t is the type of the utempter binary.
#
type utempter_t, domain, nscd_client_domain;
in_user_role(utempter_t)
role sysadm_r types utempter_t;
uses_shlib(utempter_t)
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)

# Use capabilities.
allow utempter_t self:capability setgid;

allow utempter_t etc_t:file { getattr read };

# Update /var/run/utmp and /var/log/wtmp.
allow utempter_t initrc_var_run_t:file rw_file_perms;
allow utempter_t var_log_t:dir search;
allow utempter_t wtmp_t:file rw_file_perms;

# dontaudit access to /dev/ptmx.
dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
dontaudit utempter_t sysadm_devpts_t:chr_file { read write };

# Allow utemper to write to /tmp/.xses-*
allow utempter_t user_tmpfile:file { getattr write append };

# Inherit and use descriptors from login.
allow utempter_t privfd:fd use;
ifdef(`xdm.te', `
allow utempter_t xdm_t:fd use;
allow utempter_t xdm_t:fifo_file { write getattr };
')

allow utempter_t self:unix_stream_socket create_stream_socket_perms;

# Access terminals.
allow utempter_t ttyfile:chr_file getattr;
allow utempter_t ptyfile:chr_file getattr;
allow utempter_t devpts_t:dir search;
dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write };