]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/xserver.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove module for wm (windowmanager).
[people/stevee/selinux-policy.git] / policy / modules / services / xserver.te
CommitLineData
d23f88c8 1policy_module(xserver, 3.5.6)
296273a7
CP		 2
3gen_require(`
4 class x_drawable all_x_drawable_perms;
5 class x_screen all_x_screen_perms;
6 class x_gc all_x_gc_perms;
7 class x_font all_x_font_perms;
8 class x_colormap all_x_colormap_perms;
9 class x_property all_x_property_perms;
10 class x_selection all_x_selection_perms;
11 class x_cursor all_x_cursor_perms;
12 class x_client all_x_client_perms;
13 class x_device all_x_device_perms;
f267f853
EW		 14 class x_pointer all_x_pointer_perms;
15 class x_keyboard all_x_keyboard_perms;
296273a7
CP		 16 class x_server all_x_server_perms;
17 class x_extension all_x_extension_perms;
18 class x_resource all_x_resource_perms;
19 class x_event all_x_event_perms;
20 class x_synthetic_event all_x_synthetic_event_perms;
21')
488ec7bd
CP		 22
23########################################
24#
25# Declarations
26#
27
56e1b3d2 28## <desc>
aaf8a677
DG		 29## <p>
30## Allows clients to write to the X server shared
31## memory segments.
32## </p>
56e1b3d2 33## </desc>
0bfccda4 34gen_tunable(allow_write_xshm, false)
56e1b3d2 35
3eaa9939 36## <desc>
aaf8a677
DG		 37## <p>
38## Allows XServer to execute writable memory
39## </p>
3eaa9939
DW		 40## </desc>
41gen_tunable(allow_xserver_execmem, false)
42
6aff8c7e
MG		 43## <desc>
44## <p>
b42ceb94 45## Allow the graphical login program to execute bootloader
6aff8c7e
MG		 46## </p>
47## </desc>
48gen_tunable(xdm_exec_bootloader, false)
49
56e1b3d2 50## <desc>
aaf8a677 51## <p>
e14dfc0b 52## Allow the graphical login program to login directly as sysadm_r:sysadm_t
aaf8a677 53## </p>
56e1b3d2 54## </desc>
0bfccda4 55gen_tunable(xdm_sysadm_login, false)
56e1b3d2 56
2c12b471 57## <desc>
aaf8a677
DG		 58## <p>
59## Support X userspace object manager
60## </p>
2c12b471 61## </desc>
0bfccda4 62gen_tunable(xserver_object_manager, false)
2c12b471 63
3eaa9939 64## <desc>
aaf8a677
DG		 65## <p>
66## Allow regular users direct dri device access
67## </p>
3eaa9939
DW		 68## </desc>
69gen_tunable(user_direct_dri, false)
70
71attribute xdmhomewriter;
72attribute x_userdomain;
2c12b471 73attribute x_domain;
2c12b471 74
f267f853
EW		 75# X Events
76attribute xevent_type;
77attribute input_xevent_type;
78type xevent_t, xevent_type;
9448ca6e
CP		 79typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t };
80typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
81typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t };
82typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
83typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t };
84typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
85typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t };
86typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
87
2c12b471 88type client_xevent_t, xevent_type;
9448ca6e
CP		 89typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t };
90typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
91
f267f853
EW		 92type input_xevent_t, xevent_type, input_xevent_type;
93
94# X Extensions
95attribute xextension_type;
96type xextension_t, xextension_type;
97type security_xextension_t, xextension_type;
98
99# X Properties
100attribute xproperty_type;
101type xproperty_t, xproperty_type;
102type seclabel_xproperty_t, xproperty_type;
2c12b471 103type clipboard_xproperty_t, xproperty_type;
2c12b471 104
f267f853
EW		 105# X Selections
106attribute xselection_type;
107type xselection_t, xselection_type;
108type clipboard_xselection_t, xselection_type;
109#type settings_xselection_t, xselection_type;
110#type dbus_xselection_t, xselection_type;
296273a7 111
f267f853
EW		 112# X Drawables
113attribute xdrawable_type;
114attribute xcolormap_type;
115type root_xdrawable_t, xdrawable_type;
116type root_xcolormap_t, xcolormap_type;
acd87ca9 117
f267f853 118attribute xserver_unconfined_type;
296273a7 119
f267f853 120xserver_object_types_template(root)
296273a7 121xserver_object_types_template(user)
f267f853 122
296273a7
CP		 123typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
124typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
125typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
126typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
f267f853
EW		 127
128type remote_t;
129xserver_object_types_template(remote)
aaf8a677 130xserver_common_x_domain_template(remote, remote_t)
296273a7
CP		 131
132type user_fonts_t;
133typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
134typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
aaf8a677 135typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
296273a7
CP		 136userdom_user_home_content(user_fonts_t)
137
138type user_fonts_cache_t;
139typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
140typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
3eaa9939 141typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
296273a7
CP		 142userdom_user_home_content(user_fonts_cache_t)
143
144type user_fonts_config_t;
145typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
146typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
3eaa9939 147typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
73c77e2c 148userdom_user_home_content(user_fonts_config_t)
296273a7 149
f267f853
EW		 150type iceauth_t;
151type iceauth_exec_t;
152typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
3eaa9939 153typealias iceauth_t alias { xguest_iceauth_t };
f267f853
EW		 154typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
155application_domain(iceauth_t, iceauth_exec_t)
156ubac_constrained(iceauth_t)
157
158type iceauth_home_t;
159typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
160typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
aaf8a677 161typealias iceauth_home_t alias { xguest_iceauth_home_t };
f267f853 162userdom_user_home_content(iceauth_home_t)
2c12b471 163
296273a7 164type xauth_t;
acd87ca9 165type xauth_exec_t;
296273a7
CP		 166typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
167typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
3eaa9939 168typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
296273a7
CP		 169application_domain(xauth_t, xauth_exec_t)
170ubac_constrained(xauth_t)
171
172type xauth_home_t;
173typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
174typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
3eaa9939 175typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
296273a7
CP		 176userdom_user_home_content(xauth_home_t)
177
178type xauth_tmp_t;
179typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
3eaa9939 180typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
296273a7
CP		 181typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
182files_tmp_file(xauth_tmp_t)
183ubac_constrained(xauth_tmp_t)
acd87ca9 184
413982c6
CP		 185# this is not actually a device, its a pipe
186type xconsole_device_t;
187files_type(xconsole_device_t)
188fs_associate_tmpfs(xconsole_device_t)
189files_associate_tmp(xconsole_device_t)
190
0f5d13fe 191type xdm_t;
e070dd2d 192type xdm_exec_t;
4b3b46d7 193auth_login_pgm_domain(xdm_t)
0bfccda4 194init_domain(xdm_t, xdm_exec_t)
3eaa9939 195init_system_domain(xdm_t, xdm_exec_t)
f267f853
EW		 196xserver_object_types_template(xdm)
197xserver_common_x_domain_template(xdm, xdm_t)
0f5d13fe
CP		 198
199type xdm_lock_t;
200files_lock_file(xdm_lock_t)
201
3eaa9939
DW		 202type xdm_etc_t;
203files_config_file(xdm_etc_t)
204
0f5d13fe 205type xdm_rw_etc_t;
3eaa9939
DW		 206files_config_file(xdm_rw_etc_t)
207
208type xdm_spool_t;
0059652b 209files_spool_file(xdm_spool_t)
0f5d13fe
CP		 210
211type xdm_var_lib_t;
212files_type(xdm_var_lib_t)
213
214type xdm_var_run_t;
215files_pid_file(xdm_var_run_t)
216
3eaa9939
DW		 217type xserver_var_lib_t;
218files_type(xserver_var_lib_t)
219
220type xserver_var_run_t;
221files_pid_file(xserver_var_run_t)
222
0f5d13fe
CP		 223type xdm_tmp_t;
224files_tmp_file(xdm_tmp_t)
3eaa9939
DW		 225typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
226typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
227ubac_constrained(xdm_tmp_t)
0f5d13fe
CP		 228
229type xdm_tmpfs_t;
230files_tmpfs_file(xdm_tmpfs_t)
231
3eaa9939
DW		 232type xdm_home_t;
233userdom_user_home_content(xdm_home_t)
234
235type xdm_log_t;
236logging_log_file(xdm_log_t)
237
488ec7bd
CP		 238# type for /var/lib/xkb
239type xkb_var_lib_t;
b68a85cb 240files_type(xkb_var_lib_t)
488ec7bd
CP		 241
242# Type for the executable used to start the X server, e.g. Xwrapper.
296273a7 243type xserver_t;
488ec7bd 244type xserver_exec_t;
296273a7 245typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
e3359101 246typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
296273a7
CP		 247init_system_domain(xserver_t, xserver_exec_t)
248ubac_constrained(xserver_t)
249
296273a7 250type xserver_tmpfs_t;
3eaa9939
DW		 251typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
252typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
296273a7
CP		 253files_tmpfs_file(xserver_tmpfs_t)
254ubac_constrained(xserver_tmpfs_t)
488ec7bd 255
0f5d13fe 256type xsession_exec_t;
fb63d0b5 257corecmd_executable_file(xsession_exec_t)
0f5d13fe 258
488ec7bd
CP		 259# Type for the X server log file.
260type xserver_log_t;
261logging_log_file(xserver_log_t)
07620c08 262
e070dd2d 263ifdef(`enable_mcs',`
3f67f722
CP		 264 init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
265 init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
e070dd2d
CP		 266')
267
bb7170f6 268optional_policy(`
07620c08
CP		 269 prelink_object_file(xkb_var_lib_t)
270')
0f5d13fe 271
296273a7
CP		 272########################################
273#
274# Iceauth local policy
275#
276
277allow iceauth_t iceauth_home_t:file manage_file_perms;
278userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
279
280allow xdm_t iceauth_home_t:file read_file_perms;
281
3eaa9939
DW		 282dev_read_rand(iceauth_t)
283
296273a7
CP		 284fs_search_auto_mountpoints(iceauth_t)
285
af2d8802 286userdom_use_inherited_user_terminals(iceauth_t)
3eaa9939
DW		 287userdom_read_user_tmp_files(iceauth_t)
288userdom_read_all_users_state(iceauth_t)
ed2ac112 289userdom_home_manager(iceauth_t)
296273a7 290
aaf8a677 291ifdef(`hide_broken_symptoms',`
3eaa9939
DW		 292 dev_dontaudit_read_urand(iceauth_t)
293 dev_dontaudit_rw_dri(iceauth_t)
294 dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
295 fs_dontaudit_list_inotifyfs(iceauth_t)
296 fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
aaf8a677 297 term_dontaudit_use_unallocated_ttys(iceauth_t)
3eaa9939
DW		 298
299 userdom_dontaudit_read_user_home_content_files(iceauth_t)
300 userdom_dontaudit_write_user_home_content_files(iceauth_t)
301 userdom_dontaudit_write_user_tmp_files(iceauth_t)
3eaa9939
DW		 302')
303
296273a7
CP		 304########################################
305#
306# Xauth local policy
307#
308
3eaa9939 309allow xauth_t self:capability dac_override;
296273a7 310allow xauth_t self:process signal;
caf77cbb 311allow xauth_t self:shm create_shm_perms;
296273a7 312allow xauth_t self:unix_stream_socket create_stream_socket_perms;
5a858b7f 313allow xauth_t self:unix_dgram_socket create_socket_perms;
296273a7 314
3eaa9939
DW		 315allow xauth_t xdm_t:process sigchld;
316allow xauth_t xserver_t:unix_stream_socket connectto;
317
318corenet_tcp_connect_xserver_port(xauth_t)
319
296273a7
CP		 320allow xauth_t xauth_home_t:file manage_file_perms;
321userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
3eaa9939
DW		 322userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
323
324manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
325manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
296273a7
CP		 326
327manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
328manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
329files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
330
3eaa9939
DW		 331stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
332
5a858b7f 333kernel_read_network_state(xauth_t)
3eaa9939 334kernel_read_system_state(xauth_t)
db9cae61
CP		 335kernel_request_load_module(xauth_t)
336
296273a7 337domain_use_interactive_fds(xauth_t)
3eaa9939 338domain_dontaudit_leaks(xauth_t)
296273a7
CP		 339
340files_read_etc_files(xauth_t)
3eaa9939 341files_read_usr_files(xauth_t)
296273a7 342files_search_pids(xauth_t)
3eaa9939
DW		 343files_dontaudit_getattr_all_dirs(xauth_t)
344files_dontaudit_leaks(xauth_t)
345files_var_lib_filetrans(xauth_t, xauth_home_t, file)
296273a7 346
3eaa9939
DW		 347fs_dontaudit_leaks(xauth_t)
348fs_getattr_all_fs(xauth_t)
296273a7
CP		 349fs_search_auto_mountpoints(xauth_t)
350
0a394bf0
DW		 351# Probably a leak
352term_dontaudit_use_ptmx(xauth_t)
353term_dontaudit_use_console(xauth_t)
296273a7
CP		 354
355auth_use_nsswitch(xauth_t)
356
af2d8802 357userdom_use_inherited_user_terminals(xauth_t)
296273a7 358userdom_read_user_tmp_files(xauth_t)
3eaa9939
DW		 359userdom_read_all_users_state(xauth_t)
360
4781493e
DG		 361xserver_rw_xdm_tmp_files(xauth_t)
362
aaf8a677
DG		 363ifdef(`hide_broken_symptoms',`
364 fs_dontaudit_rw_anon_inodefs_files(xauth_t)
365 fs_dontaudit_list_inotifyfs(xauth_t)
366 userdom_manage_user_home_content_files(xauth_t)
367 userdom_manage_user_tmp_files(xauth_t)
368 dev_dontaudit_rw_generic_dev_nodes(xauth_t)
369 miscfiles_read_fonts(xauth_t)
3eaa9939 370')
296273a7 371
ed2ac112 372userdom_home_manager(xauth_t)
296273a7 373
aaf8a677
DG		 374ifdef(`hide_broken_symptoms',`
375 term_dontaudit_use_unallocated_ttys(xauth_t)
3eaa9939
DW		 376 dev_dontaudit_rw_dri(xauth_t)
377')
378
379optional_policy(`
380 nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
381')
382
296273a7
CP		 383optional_policy(`
384 ssh_sigchld(xauth_t)
385 ssh_read_pipes(xauth_t)
386 ssh_dontaudit_rw_tcp_sockets(xauth_t)
387')
388
0f5d13fe
CP		 389########################################
390#
391# XDM Local policy
392#
393
995bdbb1 394allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
395
396allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
397tunable_policy(`deny_ptrace',`',`
398 allow xdm_t self:process ptrace;
399')
400
c0868a7a 401allow xdm_t self:fifo_file rw_fifo_file_perms;
0f5d13fe
CP		 402allow xdm_t self:shm create_shm_perms;
403allow xdm_t self:sem create_sem_perms;
404allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
3eaa9939 405allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
0f5d13fe
CP		 406allow xdm_t self:tcp_socket create_stream_socket_perms;
407allow xdm_t self:udp_socket create_socket_perms;
3eaa9939 408allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
a5e2133b
CP		 409allow xdm_t self:socket create_socket_perms;
410allow xdm_t self:appletalk_socket create_socket_perms;
411allow xdm_t self:key { search link write };
0f5d13fe 412
3eaa9939
DW		 413allow xdm_t xauth_home_t:file manage_file_perms;
414
7d1f5642 415allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
3eaa9939
DW		 416manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
417manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
418
419manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
67b181a4 420userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
697e067d 421userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file)
a11cc065 422xserver_filetrans_home_content(xdm_t)
697e067d 423xserver_filetrans_admin_home_content(xdm_t)
1a49cc1d 424
3eaa9939
DW		 425#Handle mislabeled files in homedir
426userdom_delete_user_home_content_files(xdm_t)
427userdom_signull_unpriv_users(xdm_t)
428userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
413982c6 429
0f5d13fe
CP		 430# Allow gdm to run gdm-binary
431can_exec(xdm_t, xdm_exec_t)
432
6b19be33 433allow xdm_t xdm_lock_t:file manage_file_perms;
0bfccda4 434files_lock_filetrans(xdm_t, xdm_lock_t, file)
6b19be33 435
3eaa9939
DW		 436read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
437read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
0f5d13fe
CP		 438# wdm has its own config dir /etc/X11/wdm
439# this is ugly, daemons should not create files under /etc!
0bfccda4 440manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
0f5d13fe 441
0bfccda4
CP		 442manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
443manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
3eaa9939 444manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
0bfccda4 445manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
3eaa9939
DW		 446files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
447relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
448relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
5bca3cad 449can_exec(xdm_t, xdm_tmp_t)
6b19be33 450
0bfccda4
CP		 451manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
452manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
453manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
454manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
455manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
3eaa9939
DW		 456
457manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
458
459files_search_spool(xdm_t)
460manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
461manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
462files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
6b19be33 463
aaf8a677 464manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
0bfccda4 465manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
3eaa9939
DW		 466manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
467manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
468files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
469# Read machine-id
470files_read_var_lib_files(xdm_t)
6b19be33 471
0bfccda4
CP		 472manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
473manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
474manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
3eaa9939
DW		 475manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
476files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
6b19be33 477
3eaa9939 478allow xdm_t xserver_t:process { signal signull };
296273a7 479allow xdm_t xserver_t:unix_stream_socket connectto;
6b19be33 480
296273a7 481allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
7d1f5642 482allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
6b19be33
CP		 483
484# transition to the xdm xserver
296273a7 485domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
3eaa9939
DW		 486
487ps_process_pattern(xserver_t, xdm_t)
296273a7
CP		 488allow xserver_t xdm_t:process signal;
489allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
6b19be33 490
296273a7 491allow xdm_t xserver_t:shm rw_shm_perms;
3eaa9939 492read_files_pattern(xdm_t, xserver_t, xserver_t)
6b19be33
CP		 493
494# connect to xdm xserver over stream socket
3f67f722 495stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
6b19be33
CP		 496
497# Remove /tmp/.X11-unix/X0.
3f67f722
CP		 498delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
499delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
6b19be33 500
3eaa9939
DW		 501manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
502manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
503manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
504logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
505
0bfccda4
CP		 506manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
507manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
508manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
6b19be33 509
0f5d13fe 510kernel_read_system_state(xdm_t)
3eaa9939 511kernel_read_device_sysctls(xdm_t)
445522dc 512kernel_read_kernel_sysctls(xdm_t)
a5e2133b
CP		 513kernel_read_net_sysctls(xdm_t)
514kernel_read_network_state(xdm_t)
3eaa9939
DW		 515kernel_request_load_module(xdm_t)
516kernel_stream_connect(xdm_t)
0f5d13fe
CP		 517
518corecmd_exec_shell(xdm_t)
519corecmd_exec_bin(xdm_t)
465f988e 520corecmd_dontaudit_access_all_executables(xdm_t)
0f5d13fe 521
19006686
CP		 522corenet_all_recvfrom_unlabeled(xdm_t)
523corenet_all_recvfrom_netlabel(xdm_t)
0f5d13fe
CP		 524corenet_tcp_sendrecv_generic_if(xdm_t)
525corenet_udp_sendrecv_generic_if(xdm_t)
c1262146
CP		 526corenet_tcp_sendrecv_generic_node(xdm_t)
527corenet_udp_sendrecv_generic_node(xdm_t)
0f5d13fe
CP		 528corenet_tcp_sendrecv_all_ports(xdm_t)
529corenet_udp_sendrecv_all_ports(xdm_t)
c1262146
CP		 530corenet_tcp_bind_generic_node(xdm_t)
531corenet_udp_bind_generic_node(xdm_t)
3eaa9939
DW		 532corenet_udp_bind_ipp_port(xdm_t)
533corenet_udp_bind_xdmcp_port(xdm_t)
0f5d13fe 534corenet_tcp_connect_all_ports(xdm_t)
141cffdd 535corenet_sendrecv_all_client_packets(xdm_t)
0f5d13fe
CP		 536# xdm tries to bind to biff_port_t
537corenet_dontaudit_tcp_bind_all_ports(xdm_t)
538
3eaa9939 539dev_rwx_zero(xdm_t)
0f5d13fe 540dev_read_rand(xdm_t)
03527520 541dev_rw_sysfs(xdm_t)
207c4763
CP		 542dev_getattr_framebuffer_dev(xdm_t)
543dev_setattr_framebuffer_dev(xdm_t)
544dev_getattr_mouse_dev(xdm_t)
545dev_setattr_mouse_dev(xdm_t)
0f5d13fe 546dev_rw_apm_bios(xdm_t)
3eaa9939 547dev_rw_input_dev(xdm_t)
207c4763
CP		 548dev_setattr_apm_bios_dev(xdm_t)
549dev_rw_dri(xdm_t)
550dev_rw_agp(xdm_t)
0f5d13fe
CP		 551dev_getattr_xserver_misc_dev(xdm_t)
552dev_setattr_xserver_misc_dev(xdm_t)
0d9d0f86 553dev_rw_xserver_misc(xdm_t)
207c4763
CP		 554dev_getattr_misc_dev(xdm_t)
555dev_setattr_misc_dev(xdm_t)
0f5d13fe 556dev_dontaudit_rw_misc(xdm_t)
3eaa9939
DW		 557dev_read_video_dev(xdm_t)
558dev_write_video_dev(xdm_t)
0f5d13fe 559dev_setattr_video_dev(xdm_t)
207c4763
CP		 560dev_getattr_scanner_dev(xdm_t)
561dev_setattr_scanner_dev(xdm_t)
3eaa9939
DW		 562dev_read_sound(xdm_t)
563dev_write_sound(xdm_t)
207c4763
CP		 564dev_getattr_power_mgmt_dev(xdm_t)
565dev_setattr_power_mgmt_dev(xdm_t)
3eaa9939
DW		 566dev_getattr_null_dev(xdm_t)
567dev_setattr_null_dev(xdm_t)
0f5d13fe 568
15722ec9 569domain_use_interactive_fds(xdm_t)
0f5d13fe
CP		 570# Do not audit denied probes of /proc.
571domain_dontaudit_read_all_domains_state(xdm_t)
3eaa9939 572domain_dontaudit_ptrace_all_domains(xdm_t)
1a82786c 573domain_dontaudit_signal_all_domains(xdm_t)
86cfdcd3 574domain_dontaudit_getattr_all_entry_files(xdm_t)
0f5d13fe
CP		 575
576files_read_etc_files(xdm_t)
a5e2133b 577files_read_var_files(xdm_t)
0f5d13fe
CP		 578files_read_etc_runtime_files(xdm_t)
579files_exec_etc_files(xdm_t)
580files_list_mnt(xdm_t)
581# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
582files_read_usr_files(xdm_t)
583# Poweroff wants to create the /poweroff file when run from xdm
584files_create_boot_flag(xdm_t)
3eaa9939
DW		 585files_dontaudit_getattr_boot_dirs(xdm_t)
586files_dontaudit_write_usr_files(xdm_t)
bde923a7 587files_dontaudit_access_check_etc(xdm_t)
3eaa9939
DW		 588files_dontaudit_getattr_all_dirs(xdm_t)
589files_dontaudit_getattr_all_symlinks(xdm_t)
9bb35815 590files_dontaudit_getattr_all_tmp_sockets(xdm_t)
998e4fa4 591files_dontaudit_all_access_check(xdm_t)
0f5d13fe
CP		 592
593fs_getattr_all_fs(xdm_t)
594fs_search_auto_mountpoints(xdm_t)
3eaa9939
DW		 595fs_rw_anon_inodefs_files(xdm_t)
596fs_mount_tmpfs(xdm_t)
ab9d1c17
MG		 597fs_list_inotifyfs(xdm_t)
598fs_dontaudit_list_noxattr_fs(xdm_t)
599fs_dontaudit_read_noxattr_fs_files(xdm_t)
600fs_manage_cgroup_dirs(xdm_t)
601fs_manage_cgroup_files(xdm_t)
3eaa9939
DW		 602
603mls_socket_write_to_clearance(xdm_t)
0f5d13fe 604
0f5d13fe
CP		 605storage_dontaudit_read_fixed_disk(xdm_t)
606storage_dontaudit_write_fixed_disk(xdm_t)
1815bad1 607storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
0f5d13fe
CP		 608storage_dontaudit_raw_read_removable_device(xdm_t)
609storage_dontaudit_raw_write_removable_device(xdm_t)
1815bad1 610storage_dontaudit_setattr_removable_dev(xdm_t)
0f5d13fe 611storage_dontaudit_rw_scsi_generic(xdm_t)
3eaa9939 612storage_dontaudit_rw_fuse(xdm_t)
0f5d13fe
CP		 613
614term_setattr_console(xdm_t)
3eaa9939 615term_use_console(xdm_t)
3923f62a 616term_use_virtio_console(xdm_t)
1815bad1 617term_use_unallocated_ttys(xdm_t)
0f5d13fe 618term_setattr_unallocated_ttys(xdm_t)
3eaa9939
DW		 619term_relabel_all_ttys(xdm_t)
620term_relabel_unallocated_ttys(xdm_t)
0f5d13fe 621
6b19be33 622auth_domtrans_pam_console(xdm_t)
0f5d13fe 623auth_manage_pam_pid(xdm_t)
0f5d13fe 624auth_manage_pam_console_data(xdm_t)
3eaa9939 625auth_signal_pam(xdm_t)
a5e2133b
CP		 626auth_rw_faillog(xdm_t)
627auth_write_login_records(xdm_t)
0f5d13fe 628
0f5d13fe 629# Run telinit->init to shutdown.
a5f5eba4 630init_telinit(xdm_t)
3eaa9939 631init_dbus_chat(xdm_t)
0f5d13fe 632
0f5d13fe
CP		 633libs_exec_lib_files(xdm_t)
634
0f5d13fe
CP		 635logging_read_generic_logs(xdm_t)
636
3eaa9939 637miscfiles_search_man_pages(xdm_t)
0f5d13fe
CP		 638miscfiles_read_localization(xdm_t)
639miscfiles_read_fonts(xdm_t)
3eaa9939
DW		 640miscfiles_manage_fonts_cache(xdm_t)
641miscfiles_manage_localization(xdm_t)
642miscfiles_read_hwdata(xdm_t)
0f5d13fe 643
15722ec9 644userdom_dontaudit_use_unpriv_user_fds(xdm_t)
fe3a1eb8 645userdom_create_all_users_keys(xdm_t)
0f5d13fe 646# for .dmrc
296273a7 647userdom_read_user_home_content_files(xdm_t)
0f5d13fe 648# Search /proc for any user domain processes.
1815bad1 649userdom_read_all_users_state(xdm_t)
0f5d13fe 650userdom_signal_all_users(xdm_t)
3eaa9939
DW		 651userdom_stream_connect(xdm_t)
652userdom_manage_user_tmp_dirs(xdm_t)
653userdom_manage_user_tmp_files(xdm_t)
654userdom_manage_user_tmp_sockets(xdm_t)
655userdom_manage_tmpfs_role(system_r, xdm_t)
ed2ac112 656userdom_home_manager(xdm_t)
3eaa9939
DW		 657
658application_signal(xdm_t)
0f5d13fe 659
3f67f722 660xserver_rw_session(xdm_t, xdm_tmpfs_t)
2c12b471 661xserver_unconfined(xdm_t)
4e6b3f6d 662xserver_domtrans_xauth(xdm_t)
0f5d13fe 663
4781493e
DG		 664ifndef(`distro_redhat',`
665 allow xdm_t self:process { execheap execmem };
666')
667
668ifdef(`distro_rhel4',`
669 allow xdm_t self:process { execheap execmem };
670')
671
0f5d13fe 672tunable_policy(`use_nfs_home_dirs',`
4d851fe9 673 fs_exec_nfs_files(xdm_t)
0f5d13fe
CP		 674')
675
676tunable_policy(`use_samba_home_dirs',`
4d851fe9 677 fs_exec_cifs_files(xdm_t)
0f5d13fe
CP		 678')
679
0de56606
MG		 680optional_policy(`
681 tunable_policy(`xdm_exec_bootloader',`
682 bootloader_exec(xdm_t)
683 files_read_boot_files(xdm_t)
684 files_read_boot_symlinks(xdm_t)
685 ')
6aff8c7e
MG		 686')
687
6b19be33
CP		 688tunable_policy(`xdm_sysadm_login',`
689 userdom_xsession_spec_domtrans_all_users(xdm_t)
690 # FIXME:
691# xserver_rw_session_template(xdm,userdomain)
692',`
693 userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
694 # FIXME:
695# xserver_rw_session_template(xdm,unpriv_userdomain)
296273a7
CP		 696# dontaudit xserver_t sysadm_t:shm { unix_read unix_write };
697# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
6b19be33
CP		 698')
699
3eaa9939
DW		 700optional_policy(`
701 accountsd_read_lib_files(xdm_t)
702')
703
4cee2dc1
DW		 704optional_policy(`
705 acct_dontaudit_list_data(xdm_t)
706')
707
6b19be33
CP		 708optional_policy(`
709 alsa_domtrans(xdm_t)
3eaa9939 710 alsa_read_rw_config(xdm_t)
6b19be33
CP		 711')
712
e66689f7
CP		 713optional_policy(`
714 consolekit_dbus_chat(xdm_t)
3eaa9939 715 consolekit_read_log(xdm_t)
e66689f7
CP		 716')
717
3b914745 718optional_policy(`
46551033 719 consoletype_exec(xdm_t)
3b914745
CP		 720')
721
3eaa9939
DW		 722optional_policy(`
723 # Use dbus to start other processes as xdm_t
724 dbus_role_template(xdm, system_r, xdm_t)
62b52308
MG		 725
726 #fixes for xfce4-notifyd
727 allow xdm_dbusd_t self:unix_stream_socket connectto;
728 allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
3eaa9939
DW		 729
730 dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
731 xserver_xdm_append_log(xdm_dbusd_t)
732 xserver_read_xdm_pid(xdm_dbusd_t)
62b52308
MG		 733
734 miscfiles_read_fonts(xdm_dbusd_t)
3eaa9939
DW		 735
736 corecmd_bin_entry_type(xdm_t)
737
738 dbus_system_bus_client(xdm_t)
739
740 optional_policy(`
741 bluetooth_dbus_chat(xdm_t)
742 ')
743
37a876b1 744 optional_policy(`
ab9d1c17 745 cpufreqselector_dbus_chat(xdm_t)
37a876b1
DW		 746 ')
747
3eaa9939
DW		 748 optional_policy(`
749 devicekit_dbus_chat_disk(xdm_t)
750 devicekit_dbus_chat_power(xdm_t)
751 ')
752
753 optional_policy(`
754 hal_dbus_chat(xdm_t)
755 ')
756
757 optional_policy(`
758 networkmanager_dbus_chat(xdm_t)
759 ')
3eaa9939
DW		 760')
761
bb7170f6 762optional_policy(`
0f5d13fe
CP		 763 # Talk to the console mouse server.
764 gpm_stream_connect(xdm_t)
765 gpm_setattr_gpmctl(xdm_t)
766')
767
3eaa9939 768optional_policy(`
ca9e8850 769 gnome_exec_keyringd(xdm_t)
3eaa9939
DW		 770 gnome_manage_config(xdm_t)
771 gnome_manage_gconf_home_files(xdm_t)
7448939f 772 gnome_filetrans_home_content(xdm_t)
3eaa9939 773 gnome_read_config(xdm_t)
6174d664 774 gnome_read_usr_config(xdm_t)
3eaa9939 775 gnome_read_gconf_config(xdm_t)
31f04122 776 gnome_transition_gkeyringd(xdm_t)
3eaa9939
DW		 777')
778
bb7170f6 779optional_policy(`
0f5d13fe
CP		 780 hostname_exec(xdm_t)
781')
782
bb7170f6 783optional_policy(`
0f5d13fe
CP		 784 loadkeys_exec(xdm_t)
785')
786
bb7170f6 787optional_policy(`
0f5d13fe
CP		 788 locallogin_signull(xdm_t)
789')
790
bb7170f6 791optional_policy(`
0f5d13fe 792 # Do not audit attempts to check whether user root has email
1815bad1 793 mta_dontaudit_getattr_spool_files(xdm_t)
0f5d13fe
CP		 794')
795
3eaa9939 796optional_policy(`
aaf8a677 797 policykit_dbus_chat(xdm_t)
3eaa9939
DW		 798 policykit_domtrans_auth(xdm_t)
799 policykit_read_lib(xdm_t)
800 policykit_read_reload(xdm_t)
801 policykit_signal_auth(xdm_t)
802')
803
804optional_policy(`
805 pcscd_stream_connect(xdm_t)
806')
807
808optional_policy(`
809 plymouthd_search_spool(xdm_t)
810 plymouthd_exec_plymouth(xdm_t)
f5b49a5e 811 plymouthd_stream_connect(xdm_t)
5505450b 812 plymouthd_read_log(xdm_t)
3eaa9939
DW		 813')
814
815optional_policy(`
816 pulseaudio_exec(xdm_t)
817 pulseaudio_dbus_chat(xdm_t)
818 pulseaudio_stream_connect(xdm_t)
819')
820
296273a7
CP		 821optional_policy(`
822 resmgr_stream_connect(xdm_t)
823')
824
bdc8dc83
MG		 825optional_policy(`
826 rhev_stream_connect_agentd(xdm_t)
827 rhev_read_pid_files_agentd(xdm_t)
828')
829
3eaa9939
DW		 830# On crash gdm execs gdb to dump stack
831optional_policy(`
832 rpm_exec(xdm_t)
833 rpm_read_db(xdm_t)
834 rpm_dontaudit_manage_db(xdm_t)
c4b9f69a 835 rpm_dontaudit_dbus_chat(xdm_t)
3eaa9939
DW		 836')
837
838optional_policy(`
839 rtkit_scheduled(xdm_t)
840')
841
bb7170f6 842optional_policy(`
0f5d13fe
CP		 843 seutil_sigchld_newrole(xdm_t)
844')
845
3eaa9939
DW		 846optional_policy(`
847 ssh_signull(xdm_t)
848')
849
850optional_policy(`
851 shutdown_domtrans(xdm_t)
852')
853
bb7170f6 854optional_policy(`
0f5d13fe
CP		 855 udev_read_db(xdm_t)
856')
857
350b6ab7 858optional_policy(`
3eaa9939
DW		 859 unconfined_signal(xdm_t)
860')
350b6ab7 861
bb7170f6 862optional_policy(`
0f5d13fe
CP		 863 userhelper_dontaudit_search_config(xdm_t)
864')
865
bb7170f6 866optional_policy(`
0f5d13fe
CP		 867 usermanage_read_crack_db(xdm_t)
868')
869
a6089d01
MG		 870optional_policy(`
871 vdagent_stream_connect(xdm_t)
872')
873
bb7170f6 874optional_policy(`
0f5d13fe
CP		 875 xfs_stream_connect(xdm_t)
876')
877
296273a7
CP		 878########################################
879#
880# X server local policy
881#
882
f267f853
EW		 883# X Object Manager rules
884type_transition xserver_t xserver_t:x_drawable root_xdrawable_t;
885type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
886type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
887
888allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
889allow xserver_t input_xevent_t:x_event send;
890
296273a7
CP		 891# setuid/setgid for the wrapper program to change UID
892# sys_rawio is for iopl access - should not be needed for frame-buffer
893# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
894# admin of APM bios?
895# sys_nice is so that the X server can set a negative nice value
896# execheap needed until the X module loader is fixed.
897# NVIDIA Needs execstack
898
995bdbb1 899allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
900
296273a7
CP		 901dontaudit xserver_t self:capability chown;
902allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
296273a7
CP		 903allow xserver_t self:fd use;
904allow xserver_t self:fifo_file rw_fifo_file_perms;
905allow xserver_t self:sock_file read_sock_file_perms;
906allow xserver_t self:shm create_shm_perms;
907allow xserver_t self:sem create_sem_perms;
908allow xserver_t self:msgq create_msgq_perms;
909allow xserver_t self:msg { send receive };
910allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
911allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
912allow xserver_t self:tcp_socket create_stream_socket_perms;
913allow xserver_t self:udp_socket create_socket_perms;
3eaa9939
DW		 914allow xserver_t self:netlink_selinux_socket create_socket_perms;
915allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
916
3eaa9939
DW		 917allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
918
919domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
920
921allow xserver_t xauth_home_t:file read_file_perms;
296273a7 922
296273a7
CP		 923manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
924manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
925manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
926files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
927
3f67f722 928filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
296273a7
CP		 929
930manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
931manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
932manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
933manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
934manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
935fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
936
937manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
938manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
939files_search_var_lib(xserver_t)
940
aaf8a677 941manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
3eaa9939
DW		 942manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
943files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
944
aaf8a677 945manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
3eaa9939
DW		 946manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
947manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
948files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
f267f853 949
296273a7
CP		 950# Create files in /var/log with the xserver_log_t type.
951manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
3f67f722 952logging_log_filetrans(xserver_t, xserver_log_t, file)
3eaa9939 953manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
296273a7
CP		 954
955kernel_read_system_state(xserver_t)
956kernel_read_device_sysctls(xserver_t)
957kernel_read_modprobe_sysctls(xserver_t)
958# Xorg wants to check if kernel is tainted
959kernel_read_kernel_sysctls(xserver_t)
960kernel_write_proc_files(xserver_t)
3eaa9939 961kernel_request_load_module(xserver_t)
296273a7
CP		 962
963# Run helper programs in xserver_t.
964corecmd_exec_bin(xserver_t)
965corecmd_exec_shell(xserver_t)
966
967corenet_all_recvfrom_unlabeled(xserver_t)
968corenet_all_recvfrom_netlabel(xserver_t)
969corenet_tcp_sendrecv_generic_if(xserver_t)
970corenet_udp_sendrecv_generic_if(xserver_t)
c1262146
CP		 971corenet_tcp_sendrecv_generic_node(xserver_t)
972corenet_udp_sendrecv_generic_node(xserver_t)
296273a7
CP		 973corenet_tcp_sendrecv_all_ports(xserver_t)
974corenet_udp_sendrecv_all_ports(xserver_t)
c1262146 975corenet_tcp_bind_generic_node(xserver_t)
296273a7
CP		 976corenet_tcp_bind_xserver_port(xserver_t)
977corenet_tcp_connect_all_ports(xserver_t)
978corenet_sendrecv_xserver_server_packets(xserver_t)
979corenet_sendrecv_all_client_packets(xserver_t)
980
981dev_rw_sysfs(xserver_t)
982dev_rw_mouse(xserver_t)
983dev_rw_mtrr(xserver_t)
984dev_rw_apm_bios(xserver_t)
985dev_rw_agp(xserver_t)
986dev_rw_framebuffer(xserver_t)
987dev_manage_dri_dev(xserver_t)
988dev_create_generic_dirs(xserver_t)
989dev_setattr_generic_dirs(xserver_t)
990# raw memory access is needed if not using the frame buffer
991dev_read_raw_memory(xserver_t)
992dev_wx_raw_memory(xserver_t)
993# for other device nodes such as the NVidia binary-only driver
8f0bdccb 994dev_manage_xserver_misc(xserver_t)
c3ee2157 995dev_filetrans_xserver_misc(xserver_t)
8f0bdccb 996
296273a7
CP		 997# read events - the synaptics touchpad driver reads raw events
998dev_rw_input_dev(xserver_t)
3eaa9939
DW		 999dev_read_raw_memory(xserver_t)
1000dev_write_raw_memory(xserver_t)
296273a7
CP		 1001dev_rwx_zero(xserver_t)
1002
3eaa9939
DW		 1003domain_dontaudit_read_all_domains_state(xserver_t)
1004domain_signal_all_domains(xserver_t)
296273a7
CP		 1005
1006files_read_etc_files(xserver_t)
1007files_read_etc_runtime_files(xserver_t)
1008files_read_usr_files(xserver_t)
b45aaab9 1009files_rw_tmpfs_files(xserver_t)
296273a7
CP		 1010
1011# brought on by rhgb
1012files_search_mnt(xserver_t)
1013# for nscd
1014files_dontaudit_search_pids(xserver_t)
1015
1016fs_getattr_xattr_fs(xserver_t)
1017fs_search_nfs(xserver_t)
1018fs_search_auto_mountpoints(xserver_t)
1019fs_search_ramfs(xserver_t)
3eaa9939 1020fs_rw_tmpfs_files(xserver_t)
296273a7
CP		 1021
1022mls_xwin_read_to_clearance(xserver_t)
3eaa9939
DW		 1023mls_process_write_to_clearance(xserver_t)
1024mls_file_read_to_clearance(xserver_t)
1025mls_file_write_all_levels(xserver_t)
1026mls_file_upgrade(xserver_t)
296273a7
CP		 1027
1028selinux_validate_context(xserver_t)
1029selinux_compute_access_vector(xserver_t)
1030selinux_compute_create_context(xserver_t)
1031
1032auth_use_nsswitch(xserver_t)
1033
1034init_getpgid(xserver_t)
1035
1036term_setattr_unallocated_ttys(xserver_t)
1037term_use_unallocated_ttys(xserver_t)
1038
296273a7
CP		 1039locallogin_use_fds(xserver_t)
1040
1041logging_send_syslog_msg(xserver_t)
1042logging_send_audit_msgs(xserver_t)
1043
1044miscfiles_read_localization(xserver_t)
1045miscfiles_read_fonts(xserver_t)
3eaa9939 1046miscfiles_read_hwdata(xserver_t)
296273a7 1047
296273a7
CP		 1048# read x_contexts
1049seutil_read_default_contexts(xserver_t)
3eaa9939
DW		 1050seutil_read_config(xserver_t)
1051seutil_read_file_contexts(xserver_t)
296273a7
CP		 1052
1053userdom_search_user_home_dirs(xserver_t)
1054userdom_use_user_ttys(xserver_t)
1055userdom_setattr_user_ttys(xserver_t)
7b40532b 1056userdom_read_user_tmp_files(xserver_t)
296273a7
CP		 1057userdom_rw_user_tmpfs_files(xserver_t)
1058
1059xserver_use_user_fonts(xserver_t)
1060
1061ifndef(`distro_redhat',`
1062 allow xserver_t self:process { execmem execheap execstack };
623e4f08 1063 domain_mmap_low_uncond(xserver_t)
296273a7
CP		 1064')
1065
1066ifdef(`distro_rhel4',`
1067 allow xserver_t self:process { execmem execheap execstack };
1068')
1069
1070ifdef(`enable_mls',`
1071 range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
7f491942 1072 range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
296273a7
CP		 1073')
1074
1075tunable_policy(`!xserver_object_manager',`
1076 # should be xserver_unconfined(xserver_t),
1077 # but typeattribute doesnt work in conditionals
1078
1079 allow xserver_t xserver_t:x_server *;
f267f853 1080 allow xserver_t { x_domain root_xdrawable_t }:x_drawable *;
296273a7
CP		 1081 allow xserver_t xserver_t:x_screen *;
1082 allow xserver_t x_domain:x_gc *;
f267f853 1083 allow xserver_t { x_domain root_xcolormap_t }:x_colormap *;
296273a7
CP		 1084 allow xserver_t xproperty_type:x_property *;
1085 allow xserver_t xselection_type:x_selection *;
1086 allow xserver_t x_domain:x_cursor *;
f267f853 1087 allow xserver_t x_domain:x_client *;
296273a7 1088 allow xserver_t { x_domain xserver_t }:x_device *;
f267f853
EW		 1089 allow xserver_t { x_domain xserver_t }:x_pointer *;
1090 allow xserver_t { x_domain xserver_t }:x_keyboard *;
296273a7
CP		 1091 allow xserver_t xextension_type:x_extension *;
1092 allow xserver_t { x_domain xserver_t }:x_resource *;
1093 allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
1094')
1095
1096optional_policy(`
1097 apm_stream_connect(xserver_t)
1098')
1099
1100optional_policy(`
1101 auth_search_pam_console_data(xserver_t)
1102')
1103
85417ed7
DW		 1104optional_policy(`
1105 consolekit_read_state(xserver_t)
1106')
1107
3eaa9939
DW		 1108optional_policy(`
1109 devicekit_signal_power(xserver_t)
1110')
1111
79ecef4e
MG		 1112optional_policy(`
1113 getty_use_fds(xserver_t)
1114')
1115
2371d8d8
MG		 1116optional_policy(`
1117 modutils_domtrans_insmod(xserver_t)
1118')
1119
296273a7
CP		 1120optional_policy(`
1121 rhgb_getpgid(xserver_t)
1122 rhgb_signal(xserver_t)
1123')
1124
1125optional_policy(`
3eaa9939
DW		 1126 setrans_translate_context(xserver_t)
1127')
1128
1129optional_policy(`
1130 sandbox_rw_xserver_tmpfs_files(xserver_t)
1131')
1132
1133optional_policy(`
1134 udev_read_db(xserver_t)
1135')
1136
3eaa9939 1137optional_policy(`
594e29e6 1138 unconfined_domain(xserver_t)
296273a7
CP		 1139 unconfined_domtrans(xserver_t)
1140')
1141
1142optional_policy(`
1143 userhelper_search_config(xserver_t)
1144')
1145
1146optional_policy(`
1147 xfs_stream_connect(xserver_t)
1148')
1149
0f5d13fe
CP		 1150########################################
1151#
1152# XDM Xserver local policy
1153#
296273a7
CP		 1154# cjp: when xdm is configurable via tunable these
1155# rules will be enabled only when xdm is enabled
0f5d13fe 1156
296273a7
CP		 1157allow xserver_t xdm_t:process { signal getpgid };
1158allow xserver_t xdm_t:shm rw_shm_perms;
5a975c1e 1159
296273a7 1160# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
5a975c1e 1161# handle of a file inside the dir!!!
3eaa9939 1162allow xserver_t xdm_var_lib_t:file read_file_perms;
7d1f5642 1163dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
0f5d13fe 1164
3eaa9939 1165read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
0f5d13fe 1166
5a975c1e 1167# Label pid and temporary files with derived types.
296273a7
CP		 1168manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
1169manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
1170manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
0f5d13fe 1171
5a975c1e 1172# Run xkbcomp.
7d1f5642 1173allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
296273a7 1174can_exec(xserver_t, xkb_var_lib_t)
0f5d13fe 1175
5a975c1e 1176# VNC v4 module in X server
296273a7 1177corenet_tcp_bind_vnc_port(xserver_t)
0f5d13fe 1178
296273a7 1179init_use_fds(xserver_t)
0f5d13fe 1180
6b19be33 1181# FIXME: After per user fonts are properly working
296273a7 1182# xserver_t may no longer have any reason
6b19be33
CP		 1183# to read ROLE_home_t - examine this in more detail
1184# (xauth?)
296273a7 1185userdom_read_user_home_content_files(xserver_t)
3eaa9939 1186userdom_read_all_users_state(xserver_t)
ed2ac112 1187userdom_home_manager(xserver_t)
3eaa9939
DW		 1188
1189xserver_use_user_fonts(xserver_t)
1190
ef55a119 1191optional_policy(`
296273a7 1192 dbus_system_bus_client(xserver_t)
3eaa9939
DW		 1193
1194 optional_policy(`
1195 hal_dbus_chat(xserver_t)
1196 ')
ef55a119
CP		 1197')
1198
350b6ab7 1199optional_policy(`
296273a7
CP		 1200 rhgb_rw_shm(xserver_t)
1201 rhgb_rw_tmpfs_files(xserver_t)
350b6ab7
CP		 1202')
1203
4781493e
DG		 1204optional_policy(`
1205 userhelper_search_config(xserver_t)
1206')
1207
296273a7
CP		 1208########################################
1209#
1210# Rules common to all X window domains
1211#
eac818f0 1212
296273a7 1213# Hacks
296273a7
CP		 1214# everyone can do override-redirect windows.
1215# this could be used to spoof labels
1216allow x_domain self:x_drawable override;
f267f853
EW		 1217# firefox gets nosy with other people's windows
1218allow x_domain x_domain:x_drawable { list_child receive };
296273a7
CP		 1219
1220# X Server
f267f853
EW		 1221# can get X server attributes
1222allow x_domain xserver_t:x_server getattr;
1223# can grab the server
1224allow x_domain xserver_t:x_server grab;
1225# can read and write server-owned generic resources
1226allow x_domain xserver_t:x_resource { read write };
296273a7 1227# can mess with own clients
f267f853 1228allow x_domain self:x_client { getattr manage destroy };
296273a7
CP		 1229
1230# X Protocol Extensions
f267f853
EW		 1231allow x_domain xextension_t:x_extension { query use };
1232allow x_domain security_xextension_t:x_extension { query use };
296273a7
CP		 1233
1234# X Properties
296273a7 1235# can change properties of root window
f267f853
EW		 1236allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property };
1237# can change properties of my own windows
296273a7 1238allow x_domain self:x_drawable { list_property get_property set_property };
f267f853
EW		 1239# can read and write cut buffers
1240allow x_domain clipboard_xproperty_t:x_property { create read write append };
1241# can read security labels
1242allow x_domain seclabel_xproperty_t:x_property { getattr read };
1243# can change all other properties
1244allow x_domain xproperty_t:x_property { getattr create read write append destroy };
296273a7
CP		 1245
1246# X Windows
1247# operations allowed on root windows
f267f853 1248allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
296273a7
CP		 1249# operations allowed on my windows
1250allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
a25335e1 1251allow x_domain self:x_drawable blend;
f267f853
EW		 1252# operations allowed on all windows
1253allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
296273a7
CP		 1254
1255# X Colormaps
1256# can use the default colormap
f267f853
EW		 1257allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall };
1258# can create and use colormaps
1259allow x_domain self:x_colormap *;
1260
1261# X Devices
1262# operations allowed on my own devices
1263allow x_domain self:{ x_device x_pointer x_keyboard } *;
1264# operations allowed on generic devices
1265allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
1266# operations allowed on core keyboard
1267allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab };
1268# operations allowed on core pointer
1269allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
1270
1271# all devices can generate input events
1272allow x_domain root_xdrawable_t:x_drawable send;
1273allow x_domain x_domain:x_drawable send;
1274allow x_domain input_xevent_t:x_event send;
1275
1276# dontaudit keyloggers repeatedly polling
1277#dontaudit x_domain xserver_t:x_keyboard read;
296273a7
CP		 1278
1279# X Input
f267f853
EW		 1280# can receive default events
1281allow x_domain xevent_t:{ x_event x_synthetic_event } receive;
1282# can receive ICCCM events
1283allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive;
296273a7 1284# can send ICCCM events to the root window
296273a7 1285allow x_domain client_xevent_t:x_synthetic_event send;
f267f853
EW		 1286# can receive root window input events
1287allow x_domain root_input_xevent_t:x_event receive;
1288
296273a7
CP		 1289# X Selections
1290# can use the clipboard
1291allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
f267f853
EW		 1292# can use default selections
1293allow x_domain xselection_t:x_selection { getattr setattr read };
296273a7
CP		 1294
1295# Other X Objects
1296# can create and use cursors
1297allow x_domain self:x_cursor *;
1298# can create and use graphics contexts
1299allow x_domain self:x_gc *;
296273a7
CP		 1300# can read and write own objects
1301allow x_domain self:x_resource { read write };
f267f853
EW		 1302# can mess with the screensaver
1303allow x_domain xserver_t:x_screen { getattr saver_getattr };
1304
e2d9aa29
DG		 1305# Device rules
1306allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
1307allow x_domain xserver_t:x_screen getattr;
1308
f267f853
EW		 1309########################################
1310#
1311# Rules for unconfined access to this module
1312#
296273a7 1313
4781493e
DG		 1314allow xserver_unconfined_type xserver_t:x_server *;
1315allow xserver_unconfined_type xdrawable_type:x_drawable *;
1316allow xserver_unconfined_type xserver_t:x_screen *;
1317allow xserver_unconfined_type x_domain:x_gc *;
1318allow xserver_unconfined_type xcolormap_type:x_colormap *;
1319allow xserver_unconfined_type xproperty_type:x_property *;
1320allow xserver_unconfined_type xselection_type:x_selection *;
1321allow xserver_unconfined_type x_domain:x_cursor *;
1322allow xserver_unconfined_type x_domain:x_client *;
1323allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
1324allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
1325allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
1326allow xserver_unconfined_type xextension_type:x_extension *;
1327allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
1328allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
1329
296273a7
CP		 1330tunable_policy(`! xserver_object_manager',`
1331 # should be xserver_unconfined(x_domain),
1332 # but typeattribute doesnt work in conditionals
1333
1334 allow x_domain xserver_t:x_server *;
f267f853 1335 allow x_domain xdrawable_type:x_drawable *;
296273a7
CP		 1336 allow x_domain xserver_t:x_screen *;
1337 allow x_domain x_domain:x_gc *;
f267f853 1338 allow x_domain xcolormap_type:x_colormap *;
296273a7
CP		 1339 allow x_domain xproperty_type:x_property *;
1340 allow x_domain xselection_type:x_selection *;
1341 allow x_domain x_domain:x_cursor *;
f267f853 1342 allow x_domain x_domain:x_client *;
296273a7 1343 allow x_domain { x_domain xserver_t }:x_device *;
f267f853
EW		 1344 allow x_domain { x_domain xserver_t }:x_pointer *;
1345 allow x_domain { x_domain xserver_t }:x_keyboard *;
296273a7
CP		 1346 allow x_domain xextension_type:x_extension *;
1347 allow x_domain { x_domain xserver_t }:x_resource *;
1348 allow x_domain xevent_type:{ x_event x_synthetic_event } *;
95501942
CP		 1349')
1350
3eaa9939
DW		 1351tunable_policy(`allow_xserver_execmem',`
1352 allow xserver_t self:process { execheap execmem execstack };
1353')
1354
1355# Hack to handle the problem of using the nvidia blobs
4a093096 1356tunable_policy(`deny_execmem',`',`
3eaa9939
DW		 1357 allow xdm_t self:process execmem;
1358')
1359
1360tunable_policy(`allow_execstack',`
1361 allow xdm_t self:process { execstack execmem };
1362')
1363
1364tunable_policy(`use_nfs_home_dirs',`
1365 fs_append_nfs_files(xdmhomewriter)
1366')
1367
d1c6ba20
DW		 1368tunable_policy(`use_nfs_home_dirs',`
1369 fs_append_nfs_files(xdmhomewriter)
3eaa9939 1370')
4781493e
DG		 1371
1372optional_policy(`
1373 unconfined_rw_shm(xserver_t)
4781493e
DG		 1374
1375 # xserver signals unconfined user on startx
1376 unconfined_signal(xserver_t)
1377 unconfined_getpgid(xserver_t)
1378')
The IPFire selinux policy.