## Policy for local logins. ######################################## ## ## Execute local logins in the local login domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`locallogin_domtrans',` gen_require(` type local_login_t; ') auth_domtrans_login_program($1, local_login_t) ') ######################################## ## ## Allow calling domain to read locallogin state. ## ## ## ## Domain allowed permission. ## ## # interface(`locallogin_read_state',` gen_require(` type local_login_t; ') kernel_search_proc($1) allow $1 local_login_t:file read_file_perms; allow $1 local_login_t:lnk_file read_lnk_file_perms; allow $1 local_login_t:dir list_dir_perms; ') ######################################## ## ## Allow processes to inherit local login file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`locallogin_use_fds',` gen_require(` type local_login_t; ') allow $1 local_login_t:fd use; ') ######################################## ## ## Use PIDFDs from local login. ## ## ## ## Domain allowed access. ## ## # interface(`locallogin_use_pidfds',` gen_require(` type local_login_t; ') allow $1 local_login_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit local login file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`locallogin_dontaudit_use_fds',` gen_require(` type local_login_t; ') dontaudit $1 local_login_t:fd use; ') ######################################## ## ## Send a null signal to local login processes. ## ## ## ## Domain allowed access. ## ## # interface(`locallogin_signull',` gen_require(` type local_login_t; ') allow $1 local_login_t:process signull; ') ######################################## ## ## Search for key. ## ## ## ## Domain allowed access. ## ## # interface(`locallogin_search_keys',` gen_require(` type local_login_t; ') allow $1 local_login_t:key search; ') ######################################## ## ## Allow link to the local_login key ring. ## ## ## ## Domain allowed access. ## ## # interface(`locallogin_link_keys',` gen_require(` type local_login_t; ') allow $1 local_login_t:key link; ') ######################################## ## ## Execute single-user logins in the single-user login domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`locallogin_domtrans_sulogin',` gen_require(` type sulogin_exec_t, sulogin_t; ') domtrans_pattern($1, sulogin_exec_t, sulogin_t) ')