Only in /tmp/policy/domains: admin diff -ru /tmp/policy/domains/program/apache.te ./domains/program/apache.te --- /tmp/policy/domains/program/apache.te 2002-10-23 21:38:16.000000000 +0200 +++ ./domains/program/apache.te 2002-10-26 02:49:28.000000000 +0200 @@ -365,17 +365,6 @@ allow httpd_t httpd_user_script_rw_t:file r_file_perms; allow httpd_t httpd_user_script_rw_t:dir r_dir_perms; -######################################## -# When the admin starts the server, the server wants to acess -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are commented out here. If you decide that access is needed, -# then uncomment, but be aware that this will grant httpd access -# to all sysadm_r TTYs and PTYs. -################################################## -#allow httpd_t admin_tty_type:chr_file write; -dontaudit httpd_t admin_tty_type:chr_file { read write }; - ########################### # Allow httpd to receive messages from the network card ######################################## @@ -399,12 +388,12 @@ ################################################# # Allow the httpd_t to read the web servers config files ################################################### -allow httpd_t httpd_config_t:file r_file_perms; -allow httpd_t httpd_config_t:dir r_dir_perms; +r_dir_file(httpd_t, httpd_config_t) # allow logrotate to read the config files for restart ifdef(`logrotate.te', ` r_dir_file(logrotate_t, httpd_config_t) ') +r_dir_file(initrc_t, httpd_config_t) ################################################## ################################################## diff -ru /tmp/policy/domains/program/courier.te ./domains/program/courier.te --- /tmp/policy/domains/program/courier.te 2002-10-10 17:50:12.000000000 +0200 +++ ./domains/program/courier.te 2002-10-26 02:48:14.000000000 +0200 @@ -112,9 +112,6 @@ # for calendaring courier_domain(pcp) -# courier pcpd will not start (from an admin shell) without this! -#allow courier_pcp_t admin_tty_type:chr_file { read write }; - allow courier_pcp_t self:capability { setuid setgid }; allow courier_pcp_t random_device_t:chr_file r_file_perms; diff -ru /tmp/policy/domains/program/devfsd.te ./domains/program/devfsd.te --- /tmp/policy/domains/program/devfsd.te 2002-09-27 22:27:37.000000000 +0200 +++ ./domains/program/devfsd.te 2002-10-26 02:49:34.000000000 +0200 @@ -19,7 +19,6 @@ allow devfsd_t proc_t:dir r_dir_perms; allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms; allow devfsd_t devtty_t:chr_file rw_file_perms; -#allow devfsd_t admin_tty_type:chr_file { read write }; # Run /sbin/modprobe allow devfsd_t sbin_t:dir r_dir_perms; diff -ru /tmp/policy/domains/program/dpkg.te ./domains/program/dpkg.te --- /tmp/policy/domains/program/dpkg.te 2002-10-26 03:27:45.000000000 +0200 +++ ./domains/program/dpkg.te 2002-10-26 03:19:46.000000000 +0200 @@ -109,6 +109,10 @@ # daemons are started in the correct context domain_auto_trans(dpkg_t, etc_t, initrc_t) +# allow dpkg to run open_init_pty +can_create_other_pty(dpkg, initrc) +can_exec(dpkg_t, initrc_exec_t) + ifdef(`bootloader.te', `domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)') diff -ru /tmp/policy/domains/program/initrc.te ./domains/program/initrc.te --- /tmp/policy/domains/program/initrc.te 2002-10-01 19:28:43.000000000 +0200 +++ ./domains/program/initrc.te 2002-10-26 02:41:58.000000000 +0200 @@ -19,6 +19,9 @@ every_domain(initrc_t) type initrc_exec_t, file_type, sysadmfile, exec_type; +# Can create ptys for open_init_pty +can_create_pty(initrc) + type initrc_tmp_t, file_type, sysadmfile, tmpfile; file_type_auto_trans(initrc_t, tmp_t, initrc_tmp_t) @@ -227,4 +230,4 @@ # # Rules for the run_init_t domain. # -run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t) +run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) diff -ru /tmp/policy/domains/program/ircd.te ./domains/program/ircd.te --- /tmp/policy/domains/program/ircd.te 2002-09-27 22:27:37.000000000 +0200 +++ ./domains/program/ircd.te 2002-10-26 02:49:39.000000000 +0200 @@ -21,8 +21,6 @@ type var_lib_ircd_t, sysadmfile, file_type; file_type_auto_trans(ircd_t, var_lib_t, var_lib_ircd_t) -#allow ircd_t admin_tty_type:chr_file rw_file_perms; - # Use the network. can_network(ircd_t) #allow ircd_t self:fifo_file { read write }; diff -ru /tmp/policy/domains/program/named.te ./domains/program/named.te --- /tmp/policy/domains/program/named.te 2002-10-17 00:01:11.000000000 +0200 +++ ./domains/program/named.te 2002-10-26 02:48:19.000000000 +0200 @@ -17,9 +17,6 @@ type ndc_t, domain, privlog; role sysadm_r types ndc_t; -# named will not start (from an admin shell) without this! -#allow named_t admin_tty_type:chr_file { read write }; - can_exec(named_t, named_exec_t) allow named_t sbin_t:dir search; diff -ru /tmp/policy/domains/program/postfix.te ./domains/program/postfix.te --- /tmp/policy/domains/program/postfix.te 2002-10-17 00:01:12.000000000 +0200 +++ ./domains/program/postfix.te 2002-10-26 02:50:36.000000000 +0200 @@ -90,8 +90,6 @@ create_dir_file(postfix_master_t, postfix_spool_flush_t) allow postfix_master_t random_device_t:chr_file { read getattr }; allow postfix_master_t postfix_prng_t:file rw_file_perms; -# should not need read, getattr does not matter -allow postfix_master_t admin_tty_type:chr_file { getattr read write }; # allow access to deferred queue allow postfix_master_t postfix_spool_t:dir create_dir_perms; diff -ru /tmp/policy/domains/program/postgresql.te ./domains/program/postgresql.te --- /tmp/policy/domains/program/postgresql.te 2002-10-23 21:38:18.000000000 +0200 +++ ./domains/program/postgresql.te 2002-10-26 02:48:23.000000000 +0200 @@ -11,9 +11,6 @@ # daemon_domain(postgresql) -# postgresql will not start (from an admin shell) without this! -#allow postgresql_t admin_tty_type:chr_file { read write }; - ifdef(`dpkg.te', ` # gross hack domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) diff -ru /tmp/policy/domains/program/radvd.te ./domains/program/radvd.te --- /tmp/policy/domains/program/radvd.te 2002-09-27 22:27:38.000000000 +0200 +++ ./domains/program/radvd.te 2002-10-26 02:50:40.000000000 +0200 @@ -14,8 +14,6 @@ allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms; allow radvd_t self:{ rawip_socket } recvfrom; -#allow radvd_t admin_tty_type:chr_file { read write }; - allow radvd_t self:capability { net_raw }; allow radvd_t self:{ unix_dgram_socket rawip_socket } create; allow radvd_t self:unix_stream_socket create_socket_perms; diff -ru /tmp/policy/domains/program/rlogind.te ./domains/program/rlogind.te --- /tmp/policy/domains/program/rlogind.te 2002-10-17 00:01:13.000000000 +0200 +++ ./domains/program/rlogind.te 2002-10-26 02:41:09.000000000 +0200 @@ -45,7 +45,3 @@ # Modify /var/log/wtmp. allow rlogind_t wtmp_t:file rw_file_perms; - -ifdef(`devfsd.te', ` -allow rlogind_t device_t:filesystem getattr; -') diff -ru /tmp/policy/domains/program/slapd.te ./domains/program/slapd.te --- /tmp/policy/domains/program/slapd.te 2002-09-27 22:27:38.000000000 +0200 +++ ./domains/program/slapd.te 2002-10-26 02:48:28.000000000 +0200 @@ -18,9 +18,6 @@ type slapd_db_t, file_type, sysadmfile; type slapd_replog_t, file_type, sysadmfile; -# slapd will not start (from an admin shell) without this! -#allow slapd_t admin_tty_type:chr_file { read write }; - tmp_domain(slapd) # Use the network. diff -ru /tmp/policy/domains/program/ssh.te ./domains/program/ssh.te --- /tmp/policy/domains/program/ssh.te 2002-10-23 21:38:19.000000000 +0200 +++ ./domains/program/ssh.te 2002-10-26 02:50:47.000000000 +0200 @@ -36,10 +36,6 @@ # Determine the set of legal user SIDs that can be reached. allow $1 security_t:security get_user_sids; -ifdef(`devfsd.te', ` -allow $1 device_t:filesystem getattr; -') - ')dnl end sshd_program_domain ################################# @@ -69,9 +65,6 @@ # Inherit and use descriptors from init. allow sshd_t init_t:fd use; -# for startup error messages -#allow sshd_t admin_tty_type:chr_file { read write }; - # Can create ptys can_create_pty(sshd) diff -ru /tmp/policy/domains/program/transproxy.te ./domains/program/transproxy.te --- /tmp/policy/domains/program/transproxy.te 2002-09-27 22:27:39.000000000 +0200 +++ ./domains/program/transproxy.te 2002-10-26 02:50:56.000000000 +0200 @@ -16,7 +16,6 @@ # Use the network. can_network(transproxy_t) allow transproxy_t transproxy_port_t:tcp_socket name_bind; -#allow transproxy_t admin_tty_type:chr_file { read write }; #allow transproxy_t self:fifo_file { read write }; allow transproxy_t self:unix_stream_socket create_socket_perms; diff -ru /tmp/policy/file_contexts/program/initrc.fc ./file_contexts/program/initrc.fc --- /tmp/policy/file_contexts/program/initrc.fc 2002-09-21 05:01:29.000000000 +0200 +++ ./file_contexts/program/initrc.fc 2002-10-26 02:54:40.000000000 +0200 @@ -9,3 +9,4 @@ # run_init /usr/local/selinux/sbin/run_init system_u:object_r:run_init_exec_t /usr/sbin/run_init system_u:object_r:run_init_exec_t +/usr/sbin/open_init_pty system_u:object_r:initrc_exec_t diff -ru /tmp/policy/macros/global_macros.te ./macros/global_macros.te --- /tmp/policy/macros/global_macros.te 2002-10-01 19:28:52.000000000 +0200 +++ ./macros/global_macros.te 2002-10-26 03:20:05.000000000 +0200 @@ -530,6 +530,11 @@ # Read and write my pty files. allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; + +ifdef(`devfsd.te', ` +allow $1_t device_t:filesystem getattr; +') + ') @@ -549,6 +554,11 @@ # Read and write pty files. allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; + +ifdef(`devfsd.te', ` +allow $1_t device_t:filesystem getattr; +') + ') @@ -930,6 +940,7 @@ allow $1_t device_t:dir { getattr search }; allow $1_t null_device_t:chr_file rw_file_perms; allow $1_t console_device_t:chr_file rw_file_perms; +allow $1_t initrc_devpts_t:chr_file rw_file_perms; ')dnl define(`daemon_domain', ` diff -ru /tmp/policy/macros/user_macros.te ./macros/user_macros.te --- /tmp/policy/macros/user_macros.te 2002-10-10 17:50:29.000000000 +0200 +++ ./macros/user_macros.te 2002-10-26 02:33:42.000000000 +0200 @@ -40,10 +40,6 @@ # Bind to a Unix domain socket in /tmp. allow $1_t $1_tmp_t:unix_stream_socket name_bind; -ifdef(`devfsd.te', ` -allow $1_t device_t:filesystem getattr; -') - # Type for tty devices. type $1_tty_device_t, file_type, sysadmfile, ttyfile; # Access ttys.