selinux-policy/targeted/domains/program/consoletype.te

#DESC consoletype - determine the type of a console device
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: 
#

#################################
#
# Rules for the consoletype_t domain.
#
# consoletype_t is the domain for the consoletype program.
# consoletype_exec_t is the type of the corresponding program.
#
type consoletype_t, domain, mlsfileread, mlsfilewrite;
type consoletype_exec_t, file_type, sysadmfile, exec_type;

role system_r types consoletype_t;

uses_shlib(consoletype_t)
general_domain_access(consoletype_t)

ifdef(`targeted_policy', `', `
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)

ifdef(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
')

ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
')
')

allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;

allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;

# Use capabilities.
allow consoletype_t self:capability sys_admin;

allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
allow consoletype_t initrc_t:fifo_file write;
allow consoletype_t nfs_t:file write;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;

ifdef(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read };
')

ifdef(`pam.te', `
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
allow consoletype_t tmpfs_t:chr_file rw_file_perms;
')
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
dontaudit consoletype_t proc_t:dir search;
dontaudit consoletype_t proc_t:file read;
dontaudit consoletype_t root_t:file read;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
allow consoletype_t system_crond_t:fd use;
allow consoletype_t fs_t:filesystem getattr;