tty and caps fixes

2005-11-01 15:34:00 +00:00 · 2005-11-01 15:34:00 +00:00 · 7ac22585e3
commit 7ac22585e3
parent 0b12fa4bd0
6 changed files with 18 additions and 1 deletions
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@ -247,6 +247,11 @@ ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
 ')

+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(ndc_t)
+	term_use_generic_pty(ndc_t)
+')
+
 tunable_policy(`named_write_master_zones',`
 	allow named_t named_zone_t:dir create_dir_perms;
 	allow named_t named_zone_t:file create_file_perms;
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@ -451,6 +451,11 @@ sysnet_dontaudit_read_config(postfix_postdrop_t)

 mta_rw_user_mail_stream_socket(postfix_postdrop_t)

+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(postfix_postdrop_t)
+	term_use_generic_pty(postfix_postdrop_t)
+')
+
 optional_policy(`crond.te',`
 	cron_use_fd(postfix_postdrop_t)
 	cron_rw_pipe(postfix_postdrop_t)
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@ -26,6 +26,7 @@ files_type(snmpd_var_lib_t)
 # Local policy
 #
 allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability sys_tty_config;
 allow snmpd_t self:fifo_file rw_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -270,7 +270,7 @@ kernel_read_system_state(system_chkpwd_t)

 fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)

-term_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)

 domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)

--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -190,6 +190,11 @@ files_list_home(depmod_t)
 userdom_read_staff_home_files(depmod_t)
 userdom_read_sysadm_home_files(depmod_t)

+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(depmod_t)
+	term_use_generic_pty(depmod_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_rw_pipe(depmod_t)
 ')
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -26,6 +26,7 @@ logging_send_syslog_msg(unconfined_t)

 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
+	dontaudit unconfined_t self:capability sys_module;

 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.