commit: 5c027610b5a5091d5cb2ae20cf2ed62177128253
Author: Nicolas Iooss via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT>
com>
AuthorDate: Sat Aug 12 08:34:59 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:39:50 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c027610
terminal: /dev/pts exists in /dev filesystem
systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:
avc: denied { associate } for pid=1 comm="systemd" name="pts"
scontext=system_u:object_r:devpts_t
tcontext=system_u:object_r:device_t
tclass=filesystem permissive=1
policy/modules/kernel/terminal.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/terminal.te
b/policy/modules/kernel/terminal.te
index f71fda4b..ff9ee502 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -25,6 +25,7 @@ dev_node(console_device_t)
# the type of the root directory of the file system.
#
type devpts_t;
+dev_associate(devpts_t)
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_xattr_type(devpts_t)
