selinux-policy/mls/domains/program/sulogin.te
2005-11-22 19:28:03 +00:00

57 lines
1.5 KiB
Plaintext

#DESC sulogin - Single-User login
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# X-Debian-Packages: sysvinit
#################################
#
# Rules for the sulogin_t domain
#
type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth;
type sulogin_exec_t, file_type, exec_type, sysadmfile;
role system_r types sulogin_t;
general_domain_access(sulogin_t)
domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
allow sulogin_t initrc_t:process getpgid;
uses_shlib(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `
define(`sulogin_no_pam', `')
')
ifdef(`distro_debian', `
define(`sulogin_no_pam', `')
')
ifdef(`sulogin_no_pam', `
domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
allow sulogin_t init_t:process getpgid;
allow sulogin_t self:capability sys_tty_config;
', `
domain_trans(sulogin_t, shell_exec_t, sysadm_t)
allow sulogin_t shell_exec_t:file r_file_perms;
can_setexec(sulogin_t)
can_getsecurity(sulogin_t)
')
r_dir_file(sulogin_t, etc_t)
allow sulogin_t bin_t:dir r_dir_perms;
r_dir_file(sulogin_t, proc_t)
allow sulogin_t root_t:dir search;
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
allow sulogin_t default_context_t:dir search;
allow sulogin_t default_context_t:file { getattr read };
r_dir_file(sulogin_t, selinux_config_t)
# because file systems are not mounted
dontaudit sulogin_t file_t:dir search;