From 0e8ec4339e7321c18cf0dd2f950d34e747899b12 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 4 Jan 2006 18:32:22 +0000
Subject: [PATCH] add openct

---
 refpolicy/Changelog                         |  1 +
 refpolicy/policy/modules/services/openct.fc |  9 +++
 refpolicy/policy/modules/services/openct.if |  1 +
 refpolicy/policy/modules/services/openct.te | 71 +++++++++++++++++++++
 4 files changed, 82 insertions(+)
 create mode 100644 refpolicy/policy/modules/services/openct.fc
 create mode 100644 refpolicy/policy/modules/services/openct.if
 create mode 100644 refpolicy/policy/modules/services/openct.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 9d1ca783..1a9c1e06 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -6,6 +6,7 @@
 	automount
 	ddcprobe
 	fetchmail
+	openct
 	smartmon
 	sysstat
 	vbetool (Dan Walsh)
diff --git a/refpolicy/policy/modules/services/openct.fc b/refpolicy/policy/modules/services/openct.fc
new file mode 100644
index 00000000..8aaadc56
--- /dev/null
+++ b/refpolicy/policy/modules/services/openct.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+/usr/sbin/openct-control	 --	gen_context(system_u:object_r:openct_exec_t,s0)
+
+#
+# /var
+#
+/var/run/openct(/.*)?		gen_context(system_u:object_r:openct_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/openct.if b/refpolicy/policy/modules/services/openct.if
new file mode 100644
index 00000000..6df1a482
--- /dev/null
+++ b/refpolicy/policy/modules/services/openct.if
@@ -0,0 +1 @@
+## <summary>Service for handling smart card readers.</summary>
diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te
new file mode 100644
index 00000000..964efb58
--- /dev/null
+++ b/refpolicy/policy/modules/services/openct.te
@@ -0,0 +1,71 @@
+
+policy_module(openct,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openct_t;
+type openct_exec_t;
+init_daemon_domain(openct_t,openct_exec_t)
+
+type openct_var_run_t;
+files_pid_file(openct_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:process signal_perms;
+
+allow openct_t openct_var_run_t:file create_file_perms;
+allow openct_t openct_var_run_t:dir rw_dir_perms;
+files_create_pid(openct_t,openct_var_run_t)
+
+kernel_read_kernel_sysctl(openct_t)
+kernel_list_proc(openct_t)
+kernel_read_proc_symlinks(openct_t)
+
+dev_read_sysfs(openct_t)
+# openct asks for this
+dev_rw_usbfs(openct_t)
+
+domain_use_wide_inherit_fd(openct_t)
+
+# openct asks for this
+files_read_etc_files(openct_t)
+
+fs_getattr_all_fs(openct_t)
+fs_search_auto_mountpoints(openct_t)
+
+term_dontaudit_use_console(openct_t)
+
+init_use_fd(openct_t)
+init_use_script_pty(openct_t)
+
+libs_use_ld_so(openct_t)
+libs_use_shared_libs(openct_t)
+
+logging_send_syslog_msg(openct_t)
+
+miscfiles_read_localization(openct_t)
+
+userdom_dontaudit_use_unpriv_user_fd(openct_t)
+userdom_dontaudit_search_sysadm_home_dir(openct_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(openct_t)
+	term_dontaudit_use_generic_pty(openct_t)
+	files_dontaudit_read_root_file(openct_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(openct_t)
+')
+
+optional_policy(`udev',`
+	udev_read_db(openct_t)
+')