86 lines
2.6 KiB
Plaintext
86 lines
2.6 KiB
Plaintext
|
#
|
||
|
# Macros for gnome-pty-helper domains.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# gph_domain(domain_prefix, role_prefix)
|
||
|
#
|
||
|
# Define a derived domain for the gnome-pty-helper program when
|
||
|
# executed by a user domain.
|
||
|
#
|
||
|
# The type declaration for the executable type for this program is
|
||
|
# provided separately in domains/program/gnome-pty-helper.te.
|
||
|
#
|
||
|
# The *_gph_t domains are for the gnome_pty_helper program.
|
||
|
# This program is executed by gnome-terminal to handle
|
||
|
# updates to utmp and wtmp. In this regard, it is similar
|
||
|
# to utempter. However, unlike utempter, gnome-pty-helper
|
||
|
# also creates the pty file for the terminal program.
|
||
|
# There is one *_gph_t domain for each user domain.
|
||
|
#
|
||
|
undefine(`gph_domain')
|
||
|
define(`gph_domain',`
|
||
|
# Derived domain based on the calling user domain and the program.
|
||
|
type $1_gph_t, domain, gphdomain, nscd_client_domain;
|
||
|
|
||
|
# Transition from the user domain to the derived domain.
|
||
|
domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
|
||
|
|
||
|
# The user role is authorized for this domain.
|
||
|
role $2_r types $1_gph_t;
|
||
|
|
||
|
# This domain is granted permissions common to most domains.
|
||
|
uses_shlib($1_gph_t)
|
||
|
|
||
|
# Use capabilities.
|
||
|
allow $1_gph_t self:capability { chown fsetid setgid setuid };
|
||
|
|
||
|
# Update /var/run/utmp and /var/log/wtmp.
|
||
|
allow $1_gph_t { var_t var_run_t }:dir search;
|
||
|
allow $1_gph_t initrc_var_run_t:file rw_file_perms;
|
||
|
allow $1_gph_t wtmp_t:file rw_file_perms;
|
||
|
|
||
|
# Allow gph to rw to stream sockets of appropriate user type.
|
||
|
# (Need this so gnome-pty-helper can pass pty fd to parent
|
||
|
# gnome-terminal which is running in a user domain.)
|
||
|
allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;
|
||
|
|
||
|
allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
|
||
|
# Allow user domain to use pty fd from gnome-pty-helper.
|
||
|
allow $1_t $1_gph_t:fd use;
|
||
|
|
||
|
# Use the network, e.g. for NIS lookups.
|
||
|
can_resolve($1_gph_t)
|
||
|
can_ypbind($1_gph_t)
|
||
|
|
||
|
allow $1_gph_t etc_t:file { getattr read };
|
||
|
|
||
|
# Added by David A. Wheeler:
|
||
|
# Allow gnome-pty-helper to update /var/log/lastlog
|
||
|
# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
|
||
|
allow $1_gph_t lastlog_t:file rw_file_perms;
|
||
|
allow $1_gph_t var_log_t:dir search;
|
||
|
allow $1_t $1_gph_t:process signal;
|
||
|
|
||
|
ifelse($2, `system', `
|
||
|
# Create ptys for the system
|
||
|
can_create_other_pty($1_gph, initrc)
|
||
|
', `
|
||
|
# Create ptys for the user domain.
|
||
|
can_create_other_pty($1_gph, $1)
|
||
|
|
||
|
# Read and write the users tty.
|
||
|
allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;
|
||
|
|
||
|
# Allow gnome-pty-helper to write the .xsession-errors file.
|
||
|
allow $1_gph_t home_root_t:dir search;
|
||
|
allow $1_gph_t $1_home_t:dir { search add_name };
|
||
|
allow $1_gph_t $1_home_t:file { create write };
|
||
|
')dnl end ifelse system
|
||
|
')dnl end macro
|