Rwho needs to stat() user terminal character files #708378

diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index d78daf4ad6ef2a2d025335a8e644a71d01b146a7..0ba4495b055cabdf70864619d2933717a885201c 100644 (file)
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -61,3 +61,4 @@ miscfiles_read_localization(rwho_t)
 
 sysnet_dns_name_resolve(rwho_t)
 
+userdom_getattr_user_terminals(rwho_t)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d7d8b53bbe8e7618bb0c03851101746152568447..64d9bb78e0412ad9c07cc2850d025d12b1e43e00 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3093,6 +3093,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
        dontaudit $1 user_devpts_t:chr_file rw_term_perms;
 ')
 
+
+########################################
+## <summary>
+##     Get attributes of user domain tty and pty.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_getattr_user_terminals',`
+       gen_require(`
+               type user_tty_device_t, user_devpts_t;
+       ')
+
+       allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Execute a shell in all user domains.  This