packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-init-watch-and-watch_reads-user-ttys.patch
lujie54 21f06ca0b3 backport upstream patches
2022-09-15 09:20:10 +08:00

82 lines
2.2 KiB
Diff
Raw Blame History

From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 1 Mar 2022 20:20:25 +0100
Subject: [PATCH] Allow init watch and watch_reads user ttys
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9
Conflict: NA
The term_watch_user_ttys() and term_watch_reads_user_ttys()
interfaces were added.
Resolves: rhbz#2058823
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 38 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index b058850..615d215 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',`
term_dontaudit_use_all_ttys($1)
')
+########################################
+## <summary>
+## Watch user tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_watch_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file watch_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Watch_reads user tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_watch_reads_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms;
+')
+
####################################
## <summary>
## Getattr on the virtio console.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 033f189..a838cdd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -377,6 +377,8 @@ term_watch_console_dev(init_t)
term_watch_reads_console_dev(init_t)
term_watch_unallocated_ttys(init_t)
term_watch_reads_unallocated_ttys(init_t)
+term_watch_user_ttys(init_t)
+term_watch_reads_user_ttys(init_t)
# Run init scripts.
init_domtrans_script(init_t)
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink