From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 12 Aug 2017 10:34:59 +0200
Subject: [refpolicy] [PATCH 1/2] terminal: /dev/pts exists in /dev filesystem
Message-ID: <20170812083500.18273-1-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:

    avc:  denied  { associate } for  pid=1 comm="systemd" name="pts"
    scontext=system_u:object_r:devpts_t
    tcontext=system_u:object_r:device_t
    tclass=filesystem permissive=1
---
 policy/modules/kernel/terminal.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index f71fda4b5e52..ff9ee502888b 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -25,6 +25,7 @@ dev_node(console_device_t)
 # the type of the root directory of the file system.
 #
 type devpts_t;
+dev_associate(devpts_t)
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
 fs_xattr_type(devpts_t)
-- 
2.14.1