From 7ac22585e3f0d534638d70053bef4501555abf07 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 1 Nov 2005 15:34:00 +0000
Subject: [PATCH] tty and caps fixes

---
 refpolicy/policy/modules/services/bind.te     | 5 +++++
 refpolicy/policy/modules/services/postfix.te  | 5 +++++
 refpolicy/policy/modules/services/snmp.te     | 1 +
 refpolicy/policy/modules/system/authlogin.te  | 2 +-
 refpolicy/policy/modules/system/modutils.te   | 5 +++++
 refpolicy/policy/modules/system/unconfined.te | 1 +
 6 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index c323392f..a4db2f72 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -247,6 +247,11 @@ ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
 ')
 
+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(ndc_t)
+	term_use_generic_pty(ndc_t)
+')
+
 tunable_policy(`named_write_master_zones',`
 	allow named_t named_zone_t:dir create_dir_perms;
 	allow named_t named_zone_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 969692f6..e7ddcccf 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -451,6 +451,11 @@ sysnet_dontaudit_read_config(postfix_postdrop_t)
 
 mta_rw_user_mail_stream_socket(postfix_postdrop_t)
 
+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(postfix_postdrop_t)
+	term_use_generic_pty(postfix_postdrop_t)
+')
+
 optional_policy(`crond.te',`
 	cron_use_fd(postfix_postdrop_t)
 	cron_rw_pipe(postfix_postdrop_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index e4537578..45b81a36 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -26,6 +26,7 @@ files_type(snmpd_var_lib_t)
 # Local policy
 #
 allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability sys_tty_config;
 allow snmpd_t self:fifo_file rw_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0fb6a6af..5dae3e76 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -270,7 +270,7 @@ kernel_read_system_state(system_chkpwd_t)
 
 fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
 
-term_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)
 
 domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
 
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 5f68f1b8..5613a7a7 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -190,6 +190,11 @@ files_list_home(depmod_t)
 userdom_read_staff_home_files(depmod_t)
 userdom_read_sysadm_home_files(depmod_t)
 
+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(depmod_t)
+	term_use_generic_pty(depmod_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_rw_pipe(depmod_t)
 ')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ab9c9c61..5b06fdee 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -26,6 +26,7 @@ logging_send_syslog_msg(unconfined_t)
 
 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
+	dontaudit unconfined_t self:capability sys_module;
 
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.