From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 07 Dec 2012 00:49:59 -0500
Subject: [refpolicy] [PATCH 4/7] authlogin.if: Add
 auth_create_pam_console_data_dirs and auth_pid_filetrans_pam_var_console
 interfaces
In-Reply-To: <1354739968-4547-4-git-send-email-bigon@debian.org>
References: <1354739968-4547-1-git-send-email-bigon@debian.org>
	<1354739968-4547-4-git-send-email-bigon@debian.org>
Message-ID: <50C18387.3070304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> On Debian /var/run/console directory might be created by consolekit, we
> need these new interfaces to achieve this.
> ---
>   policy/modules/system/authlogin.if |   50 ++++++++++++++++++++++++++++++++++++
>   1 file changed, 50 insertions(+)
>
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 8cdaa26..3efd5b6 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1102,6 +1102,25 @@ interface(`auth_list_pam_console_data',`
>
>   ########################################
>   ## <summary>
> +##	Create pam var console pid directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_create_pam_console_data_dirs',`
> +	gen_require(`
> +		type pam_var_console_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 pam_var_console_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Relabel pam_console data directories.
>   ## </summary>
>   ## <param name="domain">
> @@ -1181,6 +1200,37 @@ interface(`auth_delete_pam_console_data',`
>
>   ########################################
>   ## <summary>
> +##	Create specified objects in
> +##	pid directories with the pam var
> +##      console pid file type using a
> +##      file type transition.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_pid_filetrans_pam_var_console',`
> +	gen_require(`
> +		type pam_var_console_t;
> +	')
> +
> +	files_pid_filetrans($1, pam_var_console_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>   ##	Read all directories on the filesystem, except
>   ##	login files and listed exceptions.
>   ## </summary>>

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com