From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 1 Mar 2022 20:20:25 +0100 Subject: [PATCH] Allow init watch and watch_reads user ttys Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9 Conflict: NA The term_watch_user_ttys() and term_watch_reads_user_ttys() interfaces were added. Resolves: rhbz#2058823 Signed-off-by: lujie54 --- policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/system/init.te | 2 ++ 2 files changed, 38 insertions(+) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index b058850..615d215 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',` term_dontaudit_use_all_ttys($1) ') +######################################## +## +## Watch user tty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_watch_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + allow $1 user_tty_device_t:chr_file watch_chr_file_perms; +') + +######################################## +## +## Watch_reads user tty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_watch_reads_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms; +') + #################################### ## ## Getattr on the virtio console. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 033f189..a838cdd 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -377,6 +377,8 @@ term_watch_console_dev(init_t) term_watch_reads_console_dev(init_t) term_watch_unallocated_ttys(init_t) term_watch_reads_unallocated_ttys(init_t) +term_watch_user_ttys(init_t) +term_watch_reads_user_ttys(init_t) # Run init scripts. init_domtrans_script(init_t) -- 1.8.3.1