From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 12 Sep 2017 19:08:37 -0400
Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit
 accesses to ptys inherited from portage
In-Reply-To: <20170912071643.22114-1-aranea@aixah.de>
References: <20170912071643.22114-1-aranea@aixah.de>
Message-ID: <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> ---
>   portage.if | 20 ++++++++++++++++++++
>   1 file changed, 20 insertions(+)
> 
> diff --git a/portage.if b/portage.if
> index c0c7e9b..77bc1d2 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>   
>   	dontaudit $1 portage_tmp_t:file rw_file_perms;
>   ')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to read and write
> +##	portage ptys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`portage_dontaudit_use_ptys',`
> +	gen_require(`
> +		type portage_devpts_t;
> +	')
> +
> +	dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
> +	term_dontaudit_use_ptmx($1)

I don't think this ptmx dontaudit applies here, especially if the pty is 
inherited.


> +')
> 


-- 
Chris PeBenito