/usr/share/selinux/ubuntu/include/apps/screen.if is in selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 | ## <summary>GNU terminal multiplexer</summary>
#######################################
## <summary>
## The role template for the screen module.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`screen_role_template',`
gen_require(`
type screen_exec_t, screen_tmp_t;
type screen_home_t, screen_var_run_t;
')
########################################
#
# Declarations
#
type $1_screen_t;
application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
ubac_constrained($1_screen_t)
role $2 types $1_screen_t;
########################################
#
# Local policy
#
allow $1_screen_t self:capability { setuid setgid fsetid };
allow $1_screen_t self:process signal_perms;
allow $1_screen_t self:fifo_file rw_fifo_file_perms;
allow $1_screen_t self:tcp_socket create_stream_socket_perms;
allow $1_screen_t self:udp_socket create_socket_perms;
# Internal screen networking
allow $1_screen_t self:fd use;
allow $1_screen_t self:unix_stream_socket create_socket_perms;
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
# Create fifo
manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
allow $1_screen_t screen_home_t:dir list_dir_perms;
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
allow $1_screen_t $3:process signal;
domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
allow $1_screen_t $3:process signal;
manage_dirs_pattern($3, screen_home_t, screen_home_t)
manage_files_pattern($3, screen_home_t, screen_home_t)
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
relabel_dirs_pattern($3, screen_home_t, screen_home_t)
relabel_files_pattern($3, screen_home_t, screen_home_t)
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
corecmd_list_bin($1_screen_t)
corecmd_read_bin_files($1_screen_t)
corecmd_read_bin_symlinks($1_screen_t)
corecmd_read_bin_pipes($1_screen_t)
corecmd_read_bin_sockets($1_screen_t)
# Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t, $3)
corecmd_bin_domtrans($1_screen_t, $3)
corenet_all_recvfrom_unlabeled($1_screen_t)
corenet_all_recvfrom_netlabel($1_screen_t)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
corenet_tcp_sendrecv_generic_node($1_screen_t)
corenet_udp_sendrecv_generic_node($1_screen_t)
corenet_tcp_sendrecv_all_ports($1_screen_t)
corenet_udp_sendrecv_all_ports($1_screen_t)
corenet_tcp_connect_all_ports($1_screen_t)
dev_dontaudit_getattr_all_chr_files($1_screen_t)
dev_dontaudit_getattr_all_blk_files($1_screen_t)
# for SSP
dev_read_urand($1_screen_t)
domain_use_interactive_fds($1_screen_t)
files_search_tmp($1_screen_t)
files_search_home($1_screen_t)
files_list_home($1_screen_t)
files_read_usr_files($1_screen_t)
files_read_etc_files($1_screen_t)
fs_search_auto_mountpoints($1_screen_t)
fs_getattr_xattr_fs($1_screen_t)
auth_domtrans_chk_passwd($1_screen_t)
auth_use_nsswitch($1_screen_t)
auth_dontaudit_read_shadow($1_screen_t)
auth_dontaudit_exec_utempter($1_screen_t)
# Write to utmp.
init_rw_utmp($1_screen_t)
logging_send_syslog_msg($1_screen_t)
miscfiles_read_localization($1_screen_t)
seutil_read_config($1_screen_t)
userdom_use_user_terminals($1_screen_t)
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_setattr_user_ptys($1_screen_t)
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
fs_read_cifs_symlinks($1_screen_t)
fs_list_cifs($1_screen_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_nfs_domtrans($1_screen_t, $3)
fs_list_nfs($1_screen_t)
fs_read_nfs_symlinks($1_screen_t)
')
')
|