]>
Commit | Line | Data |
---|---|---|
3865d6b9 | 1 | ## <summary>Policy for local logins.</summary> |
07efe969 | 2 | |
3865d6b9 | 3 | ######################################## |
fd89e19f CP |
4 | ## <summary> |
5 | ## Execute local logins in the local login domain. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
885b83ec | 8 | ## <summary> |
a0546c9d | 9 | ## Domain allowed to transition. |
885b83ec | 10 | ## </summary> |
fd89e19f | 11 | ## </param> |
07efe969 | 12 | # |
199895e2 | 13 | interface(`locallogin_domtrans',` |
139520a2 CP |
14 | gen_require(` |
15 | type local_login_t; | |
16 | ') | |
0c73cd25 | 17 | |
3f67f722 | 18 | auth_domtrans_login_program($1, local_login_t) |
e070dd2d CP |
19 | |
20 | ifdef(`enable_mcs',` | |
3f67f722 | 21 | auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh) |
e070dd2d | 22 | ') |
07efe969 CP |
23 | ') |
24 | ||
3865d6b9 | 25 | ######################################## |
fd89e19f | 26 | ## <summary> |
605ba285 | 27 | ## Allow processes to inherit local login file descriptors. |
fd89e19f CP |
28 | ## </summary> |
29 | ## <param name="domain"> | |
885b83ec | 30 | ## <summary> |
a0546c9d | 31 | ## Domain allowed access. |
885b83ec | 32 | ## </summary> |
fd89e19f | 33 | ## </param> |
3865d6b9 | 34 | # |
1c1ac67f | 35 | interface(`locallogin_use_fds',` |
139520a2 CP |
36 | gen_require(` |
37 | type local_login_t; | |
139520a2 | 38 | ') |
0c73cd25 CP |
39 | |
40 | allow $1 local_login_t:fd use; | |
3ce6cb4a CP |
41 | ') |
42 | ||
605ba285 CP |
43 | ######################################## |
44 | ## <summary> | |
45 | ## Do not audit attempts to inherit local login file descriptors. | |
46 | ## </summary> | |
47 | ## <param name="domain"> | |
885b83ec | 48 | ## <summary> |
605ba285 | 49 | ## Domain to not audit. |
885b83ec | 50 | ## </summary> |
605ba285 CP |
51 | ## </param> |
52 | # | |
1c1ac67f | 53 | interface(`locallogin_dontaudit_use_fds',` |
605ba285 CP |
54 | gen_require(` |
55 | type local_login_t; | |
605ba285 CP |
56 | ') |
57 | ||
58 | dontaudit $1 local_login_t:fd use; | |
59 | ') | |
60 | ||
fd89e19f CP |
61 | ######################################## |
62 | ## <summary> | |
63 | ## Send a null signal to local login processes. | |
64 | ## </summary> | |
65 | ## <param name="domain"> | |
885b83ec | 66 | ## <summary> |
fd89e19f | 67 | ## Domain allowed access. |
885b83ec | 68 | ## </summary> |
fd89e19f CP |
69 | ## </param> |
70 | # | |
71 | interface(`locallogin_signull',` | |
72 | gen_require(` | |
73 | type local_login_t; | |
fd89e19f CP |
74 | ') |
75 | ||
76 | allow $1 local_login_t:process signull; | |
77 | ') | |
d6d16b97 CP |
78 | |
79 | ######################################## | |
80 | ## <summary> | |
81 | ## Search for key. | |
82 | ## </summary> | |
83 | ## <param name="domain"> | |
84 | ## <summary> | |
85 | ## Domain allowed access. | |
86 | ## </summary> | |
87 | ## </param> | |
88 | # | |
89 | interface(`locallogin_search_keys',` | |
90 | gen_require(` | |
91 | type local_login_t; | |
92 | ') | |
93 | ||
94 | allow $1 local_login_t:key search; | |
95 | ') | |
96 | ||
d6d16b97 CP |
97 | ######################################## |
98 | ## <summary> | |
99 | ## Allow link to the local_login key ring. | |
100 | ## </summary> | |
101 | ## <param name="domain"> | |
102 | ## <summary> | |
103 | ## Domain allowed access. | |
104 | ## </summary> | |
105 | ## </param> | |
106 | # | |
107 | interface(`locallogin_link_keys',` | |
108 | gen_require(` | |
109 | type local_login_t; | |
110 | ') | |
111 | ||
112 | allow $1 local_login_t:key link; | |
113 | ') | |
d46cfe45 CP |
114 | |
115 | ######################################## | |
116 | ## <summary> | |
117 | ## Execute local logins in the local login domain. | |
118 | ## </summary> | |
119 | ## <param name="domain"> | |
120 | ## <summary> | |
a0546c9d | 121 | ## Domain allowed to transition. |
d46cfe45 CP |
122 | ## </summary> |
123 | ## </param> | |
124 | # | |
125 | interface(`locallogin_domtrans_sulogin',` | |
126 | gen_require(` | |
127 | type sulogin_exec_t, sulogin_t; | |
128 | ') | |
129 | ||
3f67f722 | 130 | domtrans_pattern($1, sulogin_exec_t, sulogin_t) |
d46cfe45 | 131 | ') |