62 lines
1.6 KiB
Plaintext
62 lines
1.6 KiB
Plaintext
#DESC Getty - Manage ttys
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the getty_t domain.
|
|
#
|
|
init_service_domain(getty, `, privfd')
|
|
|
|
etcdir_domain(getty)
|
|
|
|
allow getty_t console_device_t:chr_file setattr;
|
|
|
|
tmp_domain(getty)
|
|
log_domain(getty)
|
|
|
|
allow getty_t { etc_t etc_runtime_t }:file { getattr read };
|
|
allow getty_t etc_t:lnk_file read;
|
|
allow getty_t self:process { getpgid getsession };
|
|
allow getty_t self:unix_dgram_socket create_socket_perms;
|
|
allow getty_t self:unix_stream_socket create_socket_perms;
|
|
|
|
# Use capabilities.
|
|
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
|
|
|
|
read_locale(getty_t)
|
|
|
|
# Run login in local_login_t domain.
|
|
allow getty_t { sbin_t bin_t }:dir search;
|
|
domain_auto_trans(getty_t, login_exec_t, local_login_t)
|
|
|
|
# Write to /var/run/utmp.
|
|
allow getty_t { var_t var_run_t }:dir search;
|
|
allow getty_t initrc_var_run_t:file rw_file_perms;
|
|
|
|
# Write to /var/log/wtmp.
|
|
allow getty_t wtmp_t:file rw_file_perms;
|
|
|
|
# Chown, chmod, read and write ttys.
|
|
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
|
|
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
|
|
dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
|
|
|
|
# for error condition handling
|
|
allow getty_t fs_t:filesystem getattr;
|
|
|
|
lock_domain(getty)
|
|
r_dir_file(getty_t, sysfs_t)
|
|
# for mgetty
|
|
var_run_domain(getty)
|
|
allow getty_t self:capability { fowner fsetid };
|
|
|
|
#
|
|
# getty needs to be able to run pppd
|
|
#
|
|
ifdef(`pppd.te', `
|
|
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
|
|
')
|