[selinux-policy: 907/3172] tty and caps fixes

Thu Oct 7 20:23:25 UTC 2010

commit 7ac22585e3f0d534638d70053bef4501555abf07
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Nov 1 15:34:00 2005 +0000

    tty and caps fixes

 refpolicy/policy/modules/services/bind.te     |    5 +++++
 refpolicy/policy/modules/services/postfix.te  |    5 +++++
 refpolicy/policy/modules/services/snmp.te     |    1 +
 refpolicy/policy/modules/system/authlogin.te  |    2 +-
 refpolicy/policy/modules/system/modutils.te   |    5 +++++
 refpolicy/policy/modules/system/unconfined.te |    1 +
 6 files changed, 18 insertions(+), 1 deletions(-)
---

diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index c323392..a4db2f7 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -247,6 +247,11 @@ ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
 ')
 
+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(ndc_t)
+	term_use_generic_pty(ndc_t)
+')
+
 tunable_policy(`named_write_master_zones',`
 	allow named_t named_zone_t:dir create_dir_perms;
 	allow named_t named_zone_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 969692f..e7ddccc 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -451,6 +451,11 @@ sysnet_dontaudit_read_config(postfix_postdrop_t)
 
 mta_rw_user_mail_stream_socket(postfix_postdrop_t)
 
+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(postfix_postdrop_t)
+	term_use_generic_pty(postfix_postdrop_t)
+')
+
 optional_policy(`crond.te',`
 	cron_use_fd(postfix_postdrop_t)
 	cron_rw_pipe(postfix_postdrop_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index e453757..45b81a3 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -26,6 +26,7 @@ files_type(snmpd_var_lib_t)
 # Local policy
 #
 allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability sys_tty_config;
 allow snmpd_t self:fifo_file rw_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0fb6a6a..5dae3e7 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -270,7 +270,7 @@ kernel_read_system_state(system_chkpwd_t)
 
 fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
 
-term_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)
 
 domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
 
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 5f68f1b..5613a7a 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -190,6 +190,11 @@ files_list_home(depmod_t)
 userdom_read_staff_home_files(depmod_t)
 userdom_read_sysadm_home_files(depmod_t)
 
+ifdef(`targeted_policy', `
+	term_use_unallocated_tty(depmod_t)
+	term_use_generic_pty(depmod_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_rw_pipe(depmod_t)
 ')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ab9c9c6..5b06fde 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -26,6 +26,7 @@ logging_send_syslog_msg(unconfined_t)
 
 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
+	dontaudit unconfined_t self:capability sys_module;
 
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
