selinux-policy/refpolicy/policy/modules/apps/screen.if
2006-01-31 16:49:43 +00:00

198 lines
5.7 KiB
Plaintext

## <summary>GNU terminal multiplexer</summary>
#######################################
## <summary>
## The per user domain template for the screen module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for screen sessions.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="user_domain">
## The type of the user domain.
## </param>
## <param name="user_role">
## The role associated with the user domain.
## </param>
#
template(`screen_per_userdomain_template',`
gen_require(`
type screen_dir_t, screen_exec_t;
')
########################################
#
# Declarations
#
type $1_screen_t;
domain_type($1_screen_t)
domain_entry_file($1_screen_t,screen_exec_t)
domain_wide_inherit_fd($1_screen_t)
role $3 types $1_screen_t;
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
type $1_screen_ro_home_t;
files_type($1_screen_ro_home_t)
type $1_screen_var_run_t;;
files_pid_file($1_screen_var_run_t)
########################################
#
# Local policy
#
allow $1_screen_t self:capability { setuid setgid fsetid };
allow $1_screen_t self:process signal_perms;
allow $1_screen_t self:tcp_socket create_stream_socket_perms;
allow $1_screen_t self:udp_socket create_socket_perms;
# Internal screen networking
allow $1_screen_t self:fd use;
allow $1_screen_t self:unix_stream_socket create_socket_perms;
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
files_filetrans_tmp($1_screen_t, $1_screen_tmp_t, { file dir })
# Create fifo
allow $1_screen_t screen_dir_t:dir rw_dir_perms;
allow $1_screen_t screen_dir_t:dir create_dir_perms;
allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
files_filetrans_pid($1_screen_t,screen_dir_t,dir)
allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
domain_auto_trans($2, screen_exec_t, $1_screen_t)
allow $2 $1_screen_t:process signal;
allow $1_screen_t $2:process { signal sigchld };
allow $1_screen_t $2:fd use;
allow $1_screen_t $2:fifo_file rw_file_perms;
allow $1_screen_t $1_home_dir_t:dir { search getattr };
allow $2 $1_screen_ro_home_t:dir create_dir_perms;
allow $2 $1_screen_ro_home_t:file create_file_perms;
allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
corecmd_list_bin($1_screen_t)
corecmd_read_bin_file($1_screen_t)
corecmd_read_bin_symlink($1_screen_t)
corecmd_read_bin_pipe($1_screen_t)
corecmd_read_bin_socket($1_screen_t)
corecmd_list_sbin($1_screen_t)
corecmd_read_sbin_symlink($1_screen_t)
corecmd_read_sbin_file($1_screen_t)
corecmd_read_sbin_pipe($1_screen_t)
corecmd_read_sbin_socket($1_screen_t)
# Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t,$2)
corecmd_bin_domtrans($1_screen_t,$2)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
corenet_raw_sendrecv_generic_if($1_screen_t)
corenet_tcp_sendrecv_all_nodes($1_screen_t)
corenet_udp_sendrecv_all_nodes($1_screen_t)
corenet_raw_sendrecv_all_nodes($1_screen_t)
corenet_tcp_sendrecv_all_ports($1_screen_t)
corenet_udp_sendrecv_all_ports($1_screen_t)
corenet_tcp_bind_all_nodes($1_screen_t)
corenet_udp_bind_all_nodes($1_screen_t)
corenet_tcp_connect_all_ports($1_screen_t)
dev_dontaudit_getattr_all_chr_files($1_screen_t)
dev_dontaudit_getattr_all_blk_files($1_screen_t)
# for SSP
dev_read_urand($1_screen_t)
domain_use_wide_inherit_fd($1_screen_t)
files_search_tmp($1_screen_t)
files_search_home($1_screen_t)
files_list_home($1_screen_t)
files_read_usr_files($1_screen_t)
files_read_etc_files($1_screen_t)
fs_search_auto_mountpoints($1_screen_t)
fs_getattr_xattr_fs($1_screen_t)
auth_dontaudit_read_shadow($1_screen_t)
auth_dontaudit_exec_utempter($1_screen_t)
# Write to utmp.
init_rw_utmp($1_screen_t)
libs_use_ld_so($1_screen_t)
libs_use_shared_libs($1_screen_t)
logging_send_syslog_msg($1_screen_t)
miscfiles_read_localization($1_screen_t)
seutil_read_config($1_screen_t)
sysnet_read_config($1_screen_t)
userdom_use_user_terminals($1,$1_screen_t)
userdom_create_user_pty($1,$1_screen_t)
userdom_user_home_domtrans($1,$1_screen_t,$2)
userdom_setattr_user_pty($1,$1_screen_t)
tunable_policy(`read_default_t',`
files_list_default($1_screen_t)
files_read_default_files($1_screen_t)
files_read_default_symlinks($1_screen_t)
files_read_default_sockets($1_screen_t)
files_read_default_pipes($1_screen_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t,$2)
fs_read_cifs_symlinks($1_screen_t)
fs_list_cifs($1_screen_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_nfs_domtrans($1_screen_t,$2)
fs_list_nfs($1_screen_t)
fs_read_nfs_symlinks($1_screen_t)
')
optional_policy(`nis',`
nis_use_ypbind($1_screen_t)
')
optional_policy(`nscd',`
nscd_use_socket($1_screen_t)
')
ifdef(`TODO',`
# Inherit and use descriptors from gnome-pty-helper.
optional_policy(`gnome-pty-helper.te',`
allow $1_screen_t $1_gph_t:fd use;
')
') dnl TODO
')