From: bigon@debian.org (Laurent Bigonville)
Date: Wed,  5 Dec 2012 21:39:25 +0100
Subject: [refpolicy] [PATCH 4/7] authlogin.if: Add
	auth_create_pam_console_data_dirs and
	auth_pid_filetrans_pam_var_console interfaces
In-Reply-To: <1354739968-4547-1-git-send-email-bigon@debian.org>
References: <1354739968-4547-1-git-send-email-bigon@debian.org>
Message-ID: <1354739968-4547-4-git-send-email-bigon@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Laurent Bigonville <bigon@bigon.be>

On Debian /var/run/console directory might be created by consolekit, we
need these new interfaces to achieve this.
---
 policy/modules/system/authlogin.if |   50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8cdaa26..3efd5b6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,6 +1102,25 @@ interface(`auth_list_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create pam var console pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_create_pam_console_data_dirs',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel pam_console data directories.
 ## </summary>
 ## <param name="domain">
@@ -1181,6 +1200,37 @@ interface(`auth_delete_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create specified objects in
+##	pid directories with the pam var
+##      console pid file type using a
+##      file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_console',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_pid_filetrans($1, pam_var_console_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read all directories on the filesystem, except
 ##	login files and listed exceptions.
 ## </summary>
-- 
1.7.10.4