diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index efea349..ff1d9fb 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -2,17 +2,23 @@ ## Policy for terminals. ######################################## +## +## +## Transform specified type into a pty type. +## +## +## An object type that will applied to a pty. +## +## # -# term_make_pty(type) -# -define(`term_make_pty',` +define(`term_pty',` requires_block_template(`$0'_depend) allow $1 devpts_t:filesystem associate; typeattribute $1 ptynode; ') -define(`term_make_pty_depend',` +define(`term_pty_depend',` attribute ptynode; type devpts_t; @@ -21,35 +27,9 @@ define(`term_make_pty_depend',` ') ######################################## -## -## -## Transform specified type into a user -## pty type. Interactive ptys will be relabeled -## -## -## The userdomain associated with this pty. -## -## -## An object type that will applied to a pty. -## -## -# -define(`term_make_user_pty',` - requires_block_template(`$0'_depend) - - term_make_pty($1) - type_change $1 server_ptynode:chr_file $2; -') - -define(`term_make_user_pty_depend',` - attribute server_ptynode; -') - - -######################################## -## +## ## -## Transform specified type into an interactive +## Transform specified type into an user ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. ## @@ -58,22 +38,28 @@ define(`term_make_user_pty_depend',` ## ## # -define(`term_make_interactive_pty',` +define(`term_user_pty',` requires_block_template(`$0'_depend) - terminal_make_pseudoterminal($1) + termi_pty($1) typeattribute $1 server_ptynode; ') -define(`terminal_make_service_pseudoterminal_depend',` +define(`term_user_pty_depend',` attribute server_ptynode; ') ######################################## +## +## +## Transform specified type into a tty type. +## +## +## An object type that will applied to a tty. +## +## # -# term_make_tty(domain,type) -# -define(`term_make_tty',` +define(`term_tty',` requires_block_template(`$0'_depend) typeattribute $2 ttynode; @@ -86,19 +72,28 @@ define(`term_make_tty',` ') ifdef(`distro_redhat',` - fs_tmpfs_associate($2) + fs_associate_tmpfs($2) ') ') -define(`term_make_tty_depend',` +define(`term_tty_depend',` attribute ttynode; type tty_device_t; ') ######################################## -# -# term_create_pty(domain,ptytype) +## +## +## Create a pty in the /dev/pts directory. +## +## +## The type of the process creating the pty. +## +## +## The type of the pty. +## +## # define(`term_create_pty',` requires_block_template(`$0'_depend) @@ -120,8 +115,15 @@ define(`term_create_pty_depend',` ') ######################################## -# -# term_use_all_terminals(domain) +## +## +## Read and write the console, all +## ttys and all ptys. +## +## +## The type of the process performing this action. +## +## # define(`term_use_all_terminals',` requires_block_template(`$0'_depend) @@ -188,7 +190,8 @@ define(`term_use_console_depend',` ######################################## ## ## -## Do not audit read from or write to the console. +## Do not audit attemtps to read from +## or write to the console. ## ## ## The type of the process performing this action. @@ -208,8 +211,15 @@ define(`term_dontaudit_use_console_depend',` ') ######################################## -# -# term_setattr_console(domain) +## +## +## Set the attributes of the console +## device node. +## +## +## The type of the process performing this action. +## +## # define(`term_setattr_console',` requires_block_template(`$0'_depend) @@ -225,8 +235,15 @@ define(`term_setattr_console_depend',` ') ######################################## -# -# term_list_ptys(domain) +## +## +## Read the /dev/pts directory to +## list all ptys. +## +## +## The type of the process performing this action. +## +## # define(`term_list_ptys',` requires_block_template(`$0'_depend) @@ -242,8 +259,15 @@ define(`term_list_ptys_depend',` ') ######################################## -# -# term_dontaudit_list_ptys(domain) +## +## +## Do not audit attempts to read the +## /dev/pts directory to. +## +## +## The type of the process to not audit. +## +## # define(`term_dontaudit_list_ptys',` requires_block_template(`$0'_depend) @@ -258,8 +282,16 @@ define(`term_dontaudit_list_ptys_depend',` ') ######################################## -# -# term_use_generic_pty(domain) +## +## +## Read and write the generic pty +## type. This is generally only used in +## the targeted policy. +## +## +## The type of the process performing this action. +## +## # define(`term_use_generic_pty',` requires_block_template(`$0'_depend) @@ -275,8 +307,16 @@ define(`term_use_generic_pty_depend',` ') ######################################## -# -# term_dontaudit_use_generic_pty(domain) +## +## +## Dot not audit attempts to read and +## write the generic pty type. This is +## generally only used in the targeted policy. +## +## +## The type of the process to not audit. +## +## # define(`term_dontaudit_use_generic_pty',` requires_block_template(`$0'_depend) @@ -291,10 +331,17 @@ define(`term_dontaudit_use_generic_pty_depend',` ') ######################################## +## +## +## Read and write the controlling +## terminal (/dev/tty). +## +## +## The type of the process performing this action. +## +## # -# term_use_controlling_terminal(domain) -# -define(`term_use_controlling_terminal',` +define(`term_use_controlling_term',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) @@ -308,24 +355,38 @@ define(`term_use_controlling_terminal_depend',` ') ######################################## +## +## +## Do not audit attempts to read and +## write the pty multiplexor (/dev/ptmx). +## +## +## The type of the process to not audit. +## +## # -# term_dontaudit_rw_ptmx(domain) -# -define(`term_dontaudit_rw_ptmx',` +define(`term_dontaudit_use_ptmx',` requires_block_template(`$0'_depend) dontaudit $1 ptmx_t:chr_file { getattr read write }; ') -define(`term_dontaudit_rw_ptmx_depend',` +define(`term_dontaudit_use_ptmx_depend',` type ptmx_t; class chr_file { getattr read write }; ') ######################################## -# -# term_getattr_all_ptys(domain) +## +## +## Get the attributes of all pty +## device nodes. +## +## +## The type of the process performing this action. +## +## # define(`term_getattr_all_ptys',` requires_block_template(`$0'_depend) @@ -343,10 +404,16 @@ define(`term_getattr_all_ptys_depend',` ') ######################################## +## +## +## Read and write all user ptys. +## +## +## The type of the process performing this action. +## +## # -# term_use_all_private_ptys(domain) -# -define(`term_use_all_private_ptys',` +define(`term_use_all_user_ptys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) @@ -354,7 +421,7 @@ define(`term_use_all_private_ptys',` allow $1 ptynode:chr_file { getattr read write ioctl }; ') -define(`term_use_all_private_ptys_depend',` +define(`term_use_all_user_ptys_depend',` attribute ptynode; class dir r_dir_perms; @@ -362,24 +429,38 @@ define(`term_use_all_private_ptys_depend',` ') ######################################## +## +## +## Do not audit attempts to read any +## user ptys. +## +## +## The type of the process to not audit. +## +## # -# term_dontaudit_use_all_private_ptys(domain) -# -define(`term_dontaudit_use_all_private_ptys',` +define(`term_dontaudit_use_all_user_ptys',` requires_block_template(`$0'_depend) dontaudit $1 ptynode:chr_file { read write }; ') -define(`term_dontaudit_use_all_private_ptys_depend',` +define(`term_dontaudit_use_all_user_ptys_depend',` attribute ptynode; class chr_file { read write }; ') ######################################## -# -# term_gettattr_unallocated_ttys(domain) +## +## +## Get the attributes of all unallocated +## tty device nodes. +## +## +## The type of the process performing this action. +## +## # define(`term_gettattr_unallocated_ttys',` requires_block_template(`$0'_depend) @@ -395,8 +476,15 @@ define(`term_gettattr_unallocated_ttys_depend',` ') ######################################## -# -# term_settattr_unallocated_ttys(domain) +## +## +## Set the attributes of all unallocated +## tty device nodes. +## +## +## The type of the process performing this action. +## +## # define(`term_settattr_unallocated_ttys',` requires_block_template(`$0'_depend) @@ -412,8 +500,15 @@ define(`term_settattr_unallocated_ttys_depend',` ') ######################################## -# -# term_relabel_unallocated_tty(domain) +## +## +## Relabel from and to the unallocated +## tty type. +## +## +## The type of the process performing this action. +## +## # define(`term_relabel_unallocated_tty',` requires_block_template(`$0'_depend) @@ -429,8 +524,15 @@ define(`term_relabel_unallocated_tty_depend',` ') ######################################## -# -# term_reset_tty_labels(domain) +## +## +## Relabel from all user tty types to +## the unallocated tty type. +## +## +## The type of the process performing this action. +## +## # define(`term_reset_tty_labels',` requires_block_template(`$0'_depend) @@ -450,8 +552,7 @@ define(`term_reset_tty_labels_depend',` ######################################## ## ## -## Write to all unallocated ttys. Has a backchannel of -## getting all tty attributes. +## Write to unallocated ttys. ## ## ## The type of the process performing this action. @@ -472,8 +573,14 @@ define(`term_write_general_tty_depend',` ') ######################################## -# -# term_use_unallocated_tty(domain) +## +## +## Read and write unallocated ttys. +## +## +## The type of the process performing this action. +## +## # define(`term_use_unallocated_tty',` requires_block_template(`$0'_depend) @@ -489,8 +596,15 @@ define(`term_use_unallocated_tty_depend',` ') ######################################## -# -# term_dontaudit_use_unallocated_tty(domain) +## +## +## Do not audit attempts to read or +## write unallocated ttys. +## +## +## The type of the process to not audit. +## +## # define(`term_dontaudit_use_unallocated_tty',` requires_block_template(`$0'_depend) @@ -505,124 +619,165 @@ define(`term_dontaudit_use_unallocated_tty_depend',` ') ######################################## +## +## +## Get the attributes of all user tty +## device nodes. +## +## +## The type of the process performing this action. +## +## # -# term_getattr_all_private_ttys(domain) -# -define(`term_getattr_all_private_ttys',` +define(`term_getattr_all_user_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file getattr; ') -define(`term_getattr_all_private_ttys_depend',` +define(`term_getattr_all_user_ttys_depend',` attribute ttynode; class chr_file getattr; ') ######################################## +## +## +## Do not audit attempts to get the +## attributes of any user tty +## device nodes. +## +## +## The type of the process performing this action. +## +## # -# term_setattr_all_private_ttys(domain) -# -define(`term_setattr_all_private_ttys',` +define(`term_dontaudit_getattr_all_user_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) - allow $1 ttynode:chr_file setattr; + dontaudit $1 ttynode:chr_file getattr; ') -define(`term_setattr_all_private_ttys_depend',` +define(`term_dontaudit_getattr_all_user_ttys_depend',` attribute ttynode; - class chr_file setattr; + class chr_file getattr; ') ######################################## +## +## +## Set the attributes of all user tty +## device nodes. +## +## +## The type of the process performing this action. +## +## # -# term_dontaudit_getattr_all_private_ttys(domain) -# -define(`term_dontaudit_getattr_all_private_ttys',` +define(`term_setattr_all_user_ttys',` requires_block_template(`$0'_depend) - dontaudit $1 ttynode:chr_file getattr; + devices_list_device_nodes($1) + allow $1 ttynode:chr_file setattr; ') -define(`term_dontaudit_getattr_all_private_ttys_depend',` +define(`term_setattr_all_user_ttys_depend',` attribute ttynode; - class chr_file getattr; + class chr_file setattr; ') ######################################## +## +## +## Relabel from and to all user +## user tty device nodes. +## +## +## The type of the process performing this action. +## +## # -# term_relabel_all_private_ttys(domain) -# -define(`term_relabel_all_private_ttys',` +define(`term_relabel_all_user_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file { relabelfrom relabelto }; ') -define(`term_relabel_all_private_ttys_depend',` +define(`term_relabel_all_user_ttys_depend',` attribute ttynode; class chr_file { relabelfrom relabelto }; ') ######################################## -## +## ## -## Write to all private ttys. Has a backchannel of -## getting all private tty attributes. +## Write to all user ttys. ## ## ## The type of the process performing this action. ## ## # -define(`term_write_all_private_ttys',` +define(`term_write_all_user_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file { getattr write }; ') -define(`term_write_all_private_ttys_depend',` +define(`term_write_all_user_ttys_depend',` attribute ttynode; class chr_file { getattr write }; ') ######################################## +## +## +## Read and write all user to all user ttys. +## +## +## The type of the process performing this action. +## +## # -# term_use_all_private_ttys(domain) -# -define(`term_use_all_private_ttys',` +define(`term_use_all_user_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file { getattr read write ioctl }; ') -define(`term_use_all_private_ttys_depend',` +define(`term_use_all_user_ttys_depend',` attribute ttynode; class chr_file { getattr read write ioctl }; ') ######################################## +## +## +## Do not audit attempts to read or write +## any user ttys. +## +## +## The type of the process performing this action. +## +## # -# term_dontaudit_use_all_private_ttys(domain) -# -define(`term_dontaudit_use_all_private_ttys',` +define(`term_dontaudit_use_all_user_ttys',` requires_block_template(`$0'_depend) dontaudit $1 ttynode:chr_file { read write }; ') -define(`term_dontaudit_use_all_private_ttys_depend',` +define(`term_dontaudit_use_all_user_ttys_depend',` attribute ttynode; class chr_file { read write };