From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sun, 10 Sep 2017 20:22:21 +0200
Subject: [refpolicy] [PATCH resend 1/2] init: allow systemd to create
/dev/pts as devpts_t
Message-ID: <20170910182222.11150-1-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
This is currently denied:
avc: denied { create } for pid=1 comm="systemd" name="pts"
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
---
policy/modules/kernel/terminal.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 16a96ec77e95..8be5a1d6de8d 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -149,6 +149,24 @@ interface(`term_mount_devpts',`
allow $1 devpts_t:filesystem mount;
')
+########################################
+##
+## Create directory /dev/pts.
+##
+##
+##
+## The type of the process creating the directory.
+##
+##
+#
+interface(`term_create_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir create_dir_perms;
+')
+
########################################
##
## Create a pty in the /dev/pts directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bdb0d6c86638..c6d2304569c9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -323,6 +323,8 @@ ifdef(`init_systemd',`
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
+ term_create_devpts(init_t)
+
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
--
2.14.1