## Policy for local logins.
########################################
##
## Execute local logins in the local login domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`locallogin_domtrans',`
gen_require(`
type local_login_t;
')
auth_domtrans_login_program($1, local_login_t)
')
########################################
##
## Allow calling domain to read locallogin state.
##
##
##
## Domain allowed permission.
##
##
#
interface(`locallogin_read_state',`
gen_require(`
type local_login_t;
')
kernel_search_proc($1)
allow $1 local_login_t:file read_file_perms;
allow $1 local_login_t:lnk_file read_lnk_file_perms;
allow $1 local_login_t:dir list_dir_perms;
')
########################################
##
## Allow processes to inherit local login file descriptors.
##
##
##
## Domain allowed access.
##
##
#
interface(`locallogin_use_fds',`
gen_require(`
type local_login_t;
')
allow $1 local_login_t:fd use;
')
########################################
##
## Use PIDFDs from local login.
##
##
##
## Domain allowed access.
##
##
#
interface(`locallogin_use_pidfds',`
gen_require(`
type local_login_t;
')
allow $1 local_login_t:fd use;
')
########################################
##
## Do not audit attempts to inherit local login file descriptors.
##
##
##
## Domain to not audit.
##
##
#
interface(`locallogin_dontaudit_use_fds',`
gen_require(`
type local_login_t;
')
dontaudit $1 local_login_t:fd use;
')
########################################
##
## Send a null signal to local login processes.
##
##
##
## Domain allowed access.
##
##
#
interface(`locallogin_signull',`
gen_require(`
type local_login_t;
')
allow $1 local_login_t:process signull;
')
########################################
##
## Search for key.
##
##
##
## Domain allowed access.
##
##
#
interface(`locallogin_search_keys',`
gen_require(`
type local_login_t;
')
allow $1 local_login_t:key search;
')
########################################
##
## Allow link to the local_login key ring.
##
##
##
## Domain allowed access.
##
##
#
interface(`locallogin_link_keys',`
gen_require(`
type local_login_t;
')
allow $1 local_login_t:key link;
')
########################################
##
## Execute single-user logins in the single-user login domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`locallogin_domtrans_sulogin',`
gen_require(`
type sulogin_exec_t, sulogin_t;
')
domtrans_pattern($1, sulogin_exec_t, sulogin_t)
')