master

Branches (14)

Tags (13)

Manage

Manage

master

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-22.09

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP2

openEuler-21.09

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

selinux-policy
/
backport-Allow-init-watch-and-watch_r...

From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 1 Mar 2022 20:20:25 +0100
Subject: [PATCH] Allow init watch and watch_reads user ttys

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9
Conflict: NA

The term_watch_user_ttys() and term_watch_reads_user_ttys()
interfaces were added.

Resolves: rhbz#2058823
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te     |  2 ++
 2 files changed, 38 insertions(+)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index b058850..615d215 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',`
 	term_dontaudit_use_all_ttys($1)
 ')

+########################################
+## <summary>
+##	Watch user tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_watch_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file watch_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Watch_reads user tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_watch_reads_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms;
+')
+
 ####################################
 ## <summary>
 ##      Getattr on the virtio console.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 033f189..a838cdd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -377,6 +377,8 @@ term_watch_console_dev(init_t)
 term_watch_reads_console_dev(init_t)
 term_watch_unallocated_ttys(init_t)
 term_watch_reads_unallocated_ttys(init_t)
+term_watch_user_ttys(init_t)
+term_watch_reads_user_ttys(init_t)

 # Run init scripts.
 init_domtrans_script(init_t)
--
1.8.3.1