interface-ize screen fixes

refpolicy/policy/modules/apps/screen.if

@@ -70,8 +70,6 @@ template(`screen_per_userdomain_template',`
 	allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
 	files_create_tmp_files($1_screen_t, $1_screen_tmp_t, { file dir })
 
-allow $1_screen_t $1_devpts_t:chr_file setattr;
-
 	# Create fifo
 	allow $1_screen_t screen_dir_t:dir rw_dir_perms;
 	allow $1_screen_t screen_dir_t:dir create_dir_perms;
@@ -160,6 +158,7 @@ allow $1_screen_t $1_devpts_t:chr_file setattr;
 	userdom_use_user_terminals($1,$1_screen_t)
 	userdom_create_user_pty($1,$1_screen_t)
 	userdom_user_home_domtrans($1,$1_screen_t,$2)
+	userdom_setattr_user_pty($1,$1_screen_t)
 
 	tunable_policy(`read_default_t',`
 		files_list_default($1_screen_t)

refpolicy/policy/modules/system/userdomain.if

@@ -1020,6 +1020,37 @@ template(`userdom_home_file',`
 	files_type($2)
 ')
 
+########################################
+## <summary>
+##	Set the attributes of a user pty.
+## </summary>
+## <desc>
+##	<p>
+##	Set the attributes of a user pty.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+template(`userdom_setattr_user_pty',`
+	ifdef(`strict_policy',`
+		gen_require(`
+			type $1_devpts_t;
+		')
+
+		allow $2 $1_devpts_t:chr_file setattr;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Create a user pty.