## Policy for terminals. ## ## Depended on by other required modules. ## ######################################## ## ## Transform specified type into a pty type. ## ## ## An object type that will applied to a pty. ## # interface(`term_pty',` gen_require(` attribute ptynode; type devpts_t; ') files_type($1) allow $1 devpts_t:filesystem associate; typeattribute $1 ptynode; ') ######################################## ## ## Transform specified type into an user ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. ## ## ## The type of the user domain associated with ## this pty. ## ## ## An object type that will applied to a pty. ## # interface(`term_user_pty',` gen_require(` attribute server_ptynode; ') term_pty($2) type_change $2 server_ptynode:chr_file $1; ') ######################################## ## ## Transform specified type into a pty type ## used by login programs, such as sshd. ## ## ## An object type that will applied to a pty. ## # interface(`term_login_pty',` gen_require(` attribute server_ptynode; ') term_pty($1) typeattribute $1 server_ptynode; ') ######################################## ## ## Transform specified type into a tty type. ## ## ## An object type that will applied to a tty. ## # interface(`term_tty',` gen_require(` attribute ttynode, serial_device; type tty_device_t; ') typeattribute $2 ttynode, serial_device; type_change $1 tty_device_t:chr_file $2; files_associate_tmp($1) # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! ifdef(`distro_debian',` type_change $1 ttynode:chr_file $2; ') ifdef(`distro_redhat',` fs_associate_tmpfs($2) ') ') ######################################## ## ## Create a pty in the /dev/pts directory. ## ## ## The type of the process creating the pty. ## ## ## The type of the pty. ## # interface(`term_create_pty',` gen_require(` type bsdpty_device_t, devpts_t, ptmx_t; ') dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; allow $1 devpts_t:dir r_dir_perms; allow $1 devpts_t:filesystem getattr; dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; type_transition $1 devpts_t:chr_file $2; ') ######################################## ## ## Read and write the console, all ## ttys and all ptys. ## ## ## Domain allowed access. ## # interface(`term_use_all_terms',` gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; ') ######################################## ## ## Write to the console. ## ## ## Domain allowed access. ## # interface(`term_write_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file write; ') ######################################## ## ## Read from the console. ## ## ## Domain allowed access. ## # interface(`term_read_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file read; ') ######################################## ## ## Read from and write to the console. ## ## ## Domain allowed access. ## # interface(`term_use_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file rw_file_perms; ') ######################################## ## ## Do not audit attemtps to read from ## or write to the console. ## ## ## Domain allowed access. ## # interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; ') dontaudit $1 console_device_t:chr_file rw_file_perms; ') ######################################## ## ## Set the attributes of the console ## device node. ## ## ## Domain allowed access. ## # interface(`term_setattr_console',` gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file setattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the /dev/pts directory. ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_getattr_pty_dir',` gen_require(` type devpts_t; class dir getattr; ') dontaudit $1 devpts_t:dir getattr; ') ######################################## ## ## Search the contents of the /dev/pts directory. ## ## ## Domain allowed access. ## # interface(`term_search_ptys',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; ') ######################################## ## ## Read the /dev/pts directory to ## list all ptys. ## ## ## Domain allowed access. ## # interface(`term_list_ptys',` gen_require(` type devpts_t; class dir r_dir_perms; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; ') ######################################## ## ## Do not audit attempts to read the ## /dev/pts directory. ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_list_ptys',` gen_require(` type devpts_t; class dir { getattr search read }; ') dontaudit $1 devpts_t:dir { getattr search read }; ') ######################################## ## ## Do not audit attempts to create, read, ## write, or delete the /dev/pts directory. ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_manage_pty_dir',` gen_require(` type devpts_t; class dir create_dir_perms; ') dontaudit $1 devpts_t:dir create_dir_perms; ') ######################################## ## ## ioctl of generic pty types. ## ## ## Domain allowed access. ## # # cjp: added for ppp interface(`term_ioctl_generic_pty',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; allow $1 devpts_t:chr_file ioctl; ') ######################################## ## ## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. ## ## ## Domain allowed access. ## # interface(`term_use_generic_pty',` gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Dot not audit attempts to read and ## write the generic pty type. This is ## generally only used in the targeted policy. ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_use_generic_pty',` gen_require(` type devpts_t; class chr_file { read write }; ') dontaudit $1 devpts_t:chr_file { read write }; ') ######################################## ## ## Read and write the controlling ## terminal (/dev/tty). ## ## ## Domain allowed access. ## # interface(`term_use_controlling_term',` gen_require(` type devtty_t; ') dev_list_all_dev_nodes($1) allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Read and write the pty multiplexor (/dev/ptmx). ## ## ## The type of the process to allow access. ## # interface(`term_use_ptmx',` gen_require(` type ptmx_t; ') allow $1 ptmx_t:chr_file rw_file_perms; ') ######################################## ## ## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx). ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_use_ptmx',` gen_require(` type ptmx_t; class chr_file { getattr read write }; ') dontaudit $1 ptmx_t:chr_file { getattr read write }; ') ######################################## ## ## Get the attributes of all user ## pty device nodes. ## ## ## Domain allowed access. ## # interface(`term_getattr_all_user_ptys',` gen_require(` attribute ptynode; class dir r_dir_perms; class chr_file getattr; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of any user pty ## device nodes. ## ## ## Domain allowed access. ## # interface(`term_dontaudit_getattr_all_user_ptys',` gen_require(` attribute ptynode; class chr_file getattr; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; dontaudit $1 ptynode:chr_file getattr; ') ######################################## ## ## Set the attributes of all user ## pty device nodes. ## ## ## Domain allowed access. ## # interface(`term_setattr_all_user_ptys',` gen_require(` attribute ptynode; class dir r_dir_perms; class chr_file setattr; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file setattr; ') ######################################## ## ## Relabel to all user ptys. ## ## ## Domain allowed access. ## # interface(`term_relabelto_all_user_ptys',` gen_require(` attribute ptynode; class chr_file relabelto; ') allow $1 ptynode:chr_file relabelto; ') ######################################## ## ## Read and write all user ptys. ## ## ## Domain allowed access. ## # interface(`term_use_all_user_ptys',` gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Do not audit attempts to read any ## user ptys. ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_use_all_user_ptys',` gen_require(` attribute ptynode; ') dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Relabel from and to all user ## user pty device nodes. ## ## ## Domain allowed access. ## # interface(`term_relabel_all_user_ptys',` gen_require(` attribute ptynode; type devpts_t; class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; allow $1 ptynode:chr_file { relabelfrom relabelto }; ') ######################################## ## ## Get the attributes of all unallocated ## tty device nodes. ## ## ## Domain allowed access. ## # interface(`term_getattr_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file getattr; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all unallocated tty device nodes. ## ## ## Domain allowed access. ## # interface(`term_dontaudit_getattr_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file getattr; ') dontaudit $1 tty_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of all unallocated ## tty device nodes. ## ## ## Domain allowed access. ## # interface(`term_setattr_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file setattr; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file setattr; ') ######################################## ## ## Relabel from and to the unallocated ## tty type. ## ## ## Domain allowed access. ## # interface(`term_relabel_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ') ######################################## ## ## Relabel from all user tty types to ## the unallocated tty type. ## ## ## Domain allowed access. ## # interface(`term_reset_tty_labels',` gen_require(` attribute ttynode; type tty_device_t; class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file relabelfrom; allow $1 tty_device_t:chr_file relabelto; ') ######################################## ## ## Write to unallocated ttys. ## ## ## Domain allowed access. ## # interface(`term_write_unallocated_ttys',` gen_require(` type tty_device_t; class chr_file { getattr write }; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr write }; ') ######################################## ## ## Read and write unallocated ttys. ## ## ## Domain allowed access. ## # interface(`term_use_unallocated_tty',` gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Do not audit attempts to read or ## write unallocated ttys. ## ## ## The type of the process to not audit. ## # interface(`term_dontaudit_use_unallocated_tty',` gen_require(` type tty_device_t; class chr_file { read write }; ') dontaudit $1 tty_device_t:chr_file { read write }; ') ######################################## ## ## Get the attributes of all user tty ## device nodes. ## ## ## Domain allowed access. ## # interface(`term_getattr_all_user_ttys',` gen_require(` attribute ttynode; class chr_file getattr; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of any user tty ## device nodes. ## ## ## Domain allowed access. ## # interface(`term_dontaudit_getattr_all_user_ttys',` gen_require(` attribute ttynode; class chr_file getattr; ') dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; ') ######################################## ## ## Set the attributes of all user tty ## device nodes. ## ## ## Domain allowed access. ## # interface(`term_setattr_all_user_ttys',` gen_require(` attribute ttynode; class chr_file setattr; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file setattr; ') ######################################## ## ## Relabel from and to all user ## user tty device nodes. ## ## ## Domain allowed access. ## # interface(`term_relabel_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { relabelfrom relabelto }; ') ######################################## ## ## Write to all user ttys. ## ## ## Domain allowed access. ## # interface(`term_write_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { getattr write }; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { getattr write }; ') ######################################## ## ## Read and write all user to all user ttys. ## ## ## Domain allowed access. ## # interface(`term_use_all_user_ttys',` gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Do not audit attempts to read or write ## any user ttys. ## ## ## Domain allowed access. ## # interface(`term_dontaudit_use_all_user_ttys',` gen_require(` attribute ttynode; class chr_file { read write }; ') dontaudit $1 ttynode:chr_file { read write }; ')