From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 19:45:52 -0400 Subject: [refpolicy] [PATCH resend 1/2] init: allow systemd to create /dev/pts as devpts_t In-Reply-To: <20170910182222.11150-1-nicolas.iooss@m4x.org> References: <20170910182222.11150-1-nicolas.iooss@m4x.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/10/2017 02:22 PM, Nicolas Iooss via refpolicy wrote: > This is currently denied: > > avc: denied { create } for pid=1 comm="systemd" name="pts" > scontext=system_u:system_r:init_t > tcontext=system_u:object_r:devpts_t tclass=dir permissive=1 > --- > policy/modules/kernel/terminal.if | 18 ++++++++++++++++++ > policy/modules/system/init.te | 2 ++ > 2 files changed, 20 insertions(+) > > diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if > index 16a96ec77e95..8be5a1d6de8d 100644 > --- a/policy/modules/kernel/terminal.if > +++ b/policy/modules/kernel/terminal.if > @@ -149,6 +149,24 @@ interface(`term_mount_devpts',` > allow $1 devpts_t:filesystem mount; > ') > > +######################################## > +##

> +## Create directory /dev/pts. > +##

> +## > +##

> +## The type of the process creating the directory. > +##

> +## > +# > +interface(`term_create_devpts',` > + gen_require(` > + type devpts_t; > + ') > + > + allow $1 devpts_t:dir create_dir_perms; > +') > + > ######################################## > ##

> ## Create a pty in the /dev/pts directory. > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index bdb0d6c86638..c6d2304569c9 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -323,6 +323,8 @@ ifdef(`init_systemd',` > systemd_manage_passwd_runtime_symlinks(init_t) > systemd_use_passwd_agent(init_t) > > + term_create_devpts(init_t) > + > # udevd is a "systemd kobject uevent socket activated daemon" > udev_create_kobject_uevent_sockets(init_t) Merged, though I renamed the interface. -- Chris PeBenito