]>
Commit | Line | Data |
---|---|---|
d23f88c8 | 1 | policy_module(xserver, 3.5.6) |
296273a7 CP |
2 | |
3 | gen_require(` | |
4 | class x_drawable all_x_drawable_perms; | |
5 | class x_screen all_x_screen_perms; | |
6 | class x_gc all_x_gc_perms; | |
7 | class x_font all_x_font_perms; | |
8 | class x_colormap all_x_colormap_perms; | |
9 | class x_property all_x_property_perms; | |
10 | class x_selection all_x_selection_perms; | |
11 | class x_cursor all_x_cursor_perms; | |
12 | class x_client all_x_client_perms; | |
13 | class x_device all_x_device_perms; | |
f267f853 EW |
14 | class x_pointer all_x_pointer_perms; |
15 | class x_keyboard all_x_keyboard_perms; | |
296273a7 CP |
16 | class x_server all_x_server_perms; |
17 | class x_extension all_x_extension_perms; | |
18 | class x_resource all_x_resource_perms; | |
19 | class x_event all_x_event_perms; | |
20 | class x_synthetic_event all_x_synthetic_event_perms; | |
21 | ') | |
488ec7bd CP |
22 | |
23 | ######################################## | |
24 | # | |
25 | # Declarations | |
26 | # | |
27 | ||
56e1b3d2 | 28 | ## <desc> |
aaf8a677 DG |
29 | ## <p> |
30 | ## Allows clients to write to the X server shared | |
31 | ## memory segments. | |
32 | ## </p> | |
56e1b3d2 | 33 | ## </desc> |
0bfccda4 | 34 | gen_tunable(allow_write_xshm, false) |
56e1b3d2 | 35 | |
3eaa9939 | 36 | ## <desc> |
aaf8a677 DG |
37 | ## <p> |
38 | ## Allows XServer to execute writable memory | |
39 | ## </p> | |
3eaa9939 DW |
40 | ## </desc> |
41 | gen_tunable(allow_xserver_execmem, false) | |
42 | ||
6aff8c7e MG |
43 | ## <desc> |
44 | ## <p> | |
b42ceb94 | 45 | ## Allow the graphical login program to execute bootloader |
6aff8c7e MG |
46 | ## </p> |
47 | ## </desc> | |
48 | gen_tunable(xdm_exec_bootloader, false) | |
49 | ||
56e1b3d2 | 50 | ## <desc> |
aaf8a677 | 51 | ## <p> |
e14dfc0b | 52 | ## Allow the graphical login program to login directly as sysadm_r:sysadm_t |
aaf8a677 | 53 | ## </p> |
56e1b3d2 | 54 | ## </desc> |
0bfccda4 | 55 | gen_tunable(xdm_sysadm_login, false) |
56e1b3d2 | 56 | |
2c12b471 | 57 | ## <desc> |
aaf8a677 DG |
58 | ## <p> |
59 | ## Support X userspace object manager | |
60 | ## </p> | |
2c12b471 | 61 | ## </desc> |
0bfccda4 | 62 | gen_tunable(xserver_object_manager, false) |
2c12b471 | 63 | |
3eaa9939 | 64 | ## <desc> |
aaf8a677 DG |
65 | ## <p> |
66 | ## Allow regular users direct dri device access | |
67 | ## </p> | |
3eaa9939 DW |
68 | ## </desc> |
69 | gen_tunable(user_direct_dri, false) | |
70 | ||
71 | attribute xdmhomewriter; | |
72 | attribute x_userdomain; | |
2c12b471 | 73 | attribute x_domain; |
2c12b471 | 74 | |
f267f853 EW |
75 | # X Events |
76 | attribute xevent_type; | |
77 | attribute input_xevent_type; | |
78 | type xevent_t, xevent_type; | |
9448ca6e CP |
79 | typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t }; |
80 | typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; | |
81 | typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t }; | |
82 | typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t }; | |
83 | typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t }; | |
84 | typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t }; | |
85 | typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t }; | |
86 | typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t }; | |
87 | ||
2c12b471 | 88 | type client_xevent_t, xevent_type; |
9448ca6e CP |
89 | typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t }; |
90 | typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; | |
91 | ||
f267f853 EW |
92 | type input_xevent_t, xevent_type, input_xevent_type; |
93 | ||
94 | # X Extensions | |
95 | attribute xextension_type; | |
96 | type xextension_t, xextension_type; | |
97 | type security_xextension_t, xextension_type; | |
98 | ||
99 | # X Properties | |
100 | attribute xproperty_type; | |
101 | type xproperty_t, xproperty_type; | |
102 | type seclabel_xproperty_t, xproperty_type; | |
2c12b471 | 103 | type clipboard_xproperty_t, xproperty_type; |
2c12b471 | 104 | |
f267f853 EW |
105 | # X Selections |
106 | attribute xselection_type; | |
107 | type xselection_t, xselection_type; | |
108 | type clipboard_xselection_t, xselection_type; | |
109 | #type settings_xselection_t, xselection_type; | |
110 | #type dbus_xselection_t, xselection_type; | |
296273a7 | 111 | |
f267f853 EW |
112 | # X Drawables |
113 | attribute xdrawable_type; | |
114 | attribute xcolormap_type; | |
115 | type root_xdrawable_t, xdrawable_type; | |
116 | type root_xcolormap_t, xcolormap_type; | |
acd87ca9 | 117 | |
f267f853 | 118 | attribute xserver_unconfined_type; |
296273a7 | 119 | |
f267f853 | 120 | xserver_object_types_template(root) |
296273a7 | 121 | xserver_object_types_template(user) |
f267f853 | 122 | |
296273a7 CP |
123 | typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t }; |
124 | typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; | |
125 | typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; | |
126 | typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t }; | |
f267f853 EW |
127 | |
128 | type remote_t; | |
129 | xserver_object_types_template(remote) | |
aaf8a677 | 130 | xserver_common_x_domain_template(remote, remote_t) |
296273a7 CP |
131 | |
132 | type user_fonts_t; | |
133 | typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; | |
134 | typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; | |
aaf8a677 | 135 | typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; |
296273a7 CP |
136 | userdom_user_home_content(user_fonts_t) |
137 | ||
138 | type user_fonts_cache_t; | |
139 | typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; | |
140 | typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; | |
3eaa9939 | 141 | typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; |
296273a7 CP |
142 | userdom_user_home_content(user_fonts_cache_t) |
143 | ||
144 | type user_fonts_config_t; | |
145 | typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; | |
146 | typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; | |
3eaa9939 | 147 | typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; |
73c77e2c | 148 | userdom_user_home_content(user_fonts_config_t) |
296273a7 | 149 | |
f267f853 EW |
150 | type iceauth_t; |
151 | type iceauth_exec_t; | |
152 | typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; | |
3eaa9939 | 153 | typealias iceauth_t alias { xguest_iceauth_t }; |
f267f853 EW |
154 | typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; |
155 | application_domain(iceauth_t, iceauth_exec_t) | |
156 | ubac_constrained(iceauth_t) | |
157 | ||
158 | type iceauth_home_t; | |
159 | typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; | |
160 | typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; | |
aaf8a677 | 161 | typealias iceauth_home_t alias { xguest_iceauth_home_t }; |
f267f853 | 162 | userdom_user_home_content(iceauth_home_t) |
2c12b471 | 163 | |
296273a7 | 164 | type xauth_t; |
acd87ca9 | 165 | type xauth_exec_t; |
296273a7 CP |
166 | typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; |
167 | typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; | |
3eaa9939 | 168 | typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; |
296273a7 CP |
169 | application_domain(xauth_t, xauth_exec_t) |
170 | ubac_constrained(xauth_t) | |
171 | ||
172 | type xauth_home_t; | |
173 | typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; | |
174 | typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; | |
3eaa9939 | 175 | typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; |
296273a7 CP |
176 | userdom_user_home_content(xauth_home_t) |
177 | ||
178 | type xauth_tmp_t; | |
179 | typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; | |
3eaa9939 | 180 | typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; |
296273a7 CP |
181 | typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; |
182 | files_tmp_file(xauth_tmp_t) | |
183 | ubac_constrained(xauth_tmp_t) | |
acd87ca9 | 184 | |
413982c6 CP |
185 | # this is not actually a device, its a pipe |
186 | type xconsole_device_t; | |
187 | files_type(xconsole_device_t) | |
188 | fs_associate_tmpfs(xconsole_device_t) | |
189 | files_associate_tmp(xconsole_device_t) | |
190 | ||
0f5d13fe | 191 | type xdm_t; |
e070dd2d | 192 | type xdm_exec_t; |
4b3b46d7 | 193 | auth_login_pgm_domain(xdm_t) |
0bfccda4 | 194 | init_domain(xdm_t, xdm_exec_t) |
3eaa9939 | 195 | init_system_domain(xdm_t, xdm_exec_t) |
f267f853 EW |
196 | xserver_object_types_template(xdm) |
197 | xserver_common_x_domain_template(xdm, xdm_t) | |
0f5d13fe CP |
198 | |
199 | type xdm_lock_t; | |
200 | files_lock_file(xdm_lock_t) | |
201 | ||
3eaa9939 DW |
202 | type xdm_etc_t; |
203 | files_config_file(xdm_etc_t) | |
204 | ||
0f5d13fe | 205 | type xdm_rw_etc_t; |
3eaa9939 DW |
206 | files_config_file(xdm_rw_etc_t) |
207 | ||
208 | type xdm_spool_t; | |
0059652b | 209 | files_spool_file(xdm_spool_t) |
0f5d13fe CP |
210 | |
211 | type xdm_var_lib_t; | |
212 | files_type(xdm_var_lib_t) | |
213 | ||
214 | type xdm_var_run_t; | |
215 | files_pid_file(xdm_var_run_t) | |
216 | ||
3eaa9939 DW |
217 | type xserver_var_lib_t; |
218 | files_type(xserver_var_lib_t) | |
219 | ||
220 | type xserver_var_run_t; | |
221 | files_pid_file(xserver_var_run_t) | |
222 | ||
0f5d13fe CP |
223 | type xdm_tmp_t; |
224 | files_tmp_file(xdm_tmp_t) | |
3eaa9939 DW |
225 | typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; |
226 | typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; | |
227 | ubac_constrained(xdm_tmp_t) | |
0f5d13fe CP |
228 | |
229 | type xdm_tmpfs_t; | |
230 | files_tmpfs_file(xdm_tmpfs_t) | |
231 | ||
3eaa9939 DW |
232 | type xdm_home_t; |
233 | userdom_user_home_content(xdm_home_t) | |
234 | ||
235 | type xdm_log_t; | |
236 | logging_log_file(xdm_log_t) | |
237 | ||
488ec7bd CP |
238 | # type for /var/lib/xkb |
239 | type xkb_var_lib_t; | |
b68a85cb | 240 | files_type(xkb_var_lib_t) |
488ec7bd CP |
241 | |
242 | # Type for the executable used to start the X server, e.g. Xwrapper. | |
296273a7 | 243 | type xserver_t; |
488ec7bd | 244 | type xserver_exec_t; |
296273a7 | 245 | typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; |
e3359101 | 246 | typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; |
296273a7 CP |
247 | init_system_domain(xserver_t, xserver_exec_t) |
248 | ubac_constrained(xserver_t) | |
249 | ||
296273a7 | 250 | type xserver_tmpfs_t; |
3eaa9939 DW |
251 | typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; |
252 | typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; | |
296273a7 CP |
253 | files_tmpfs_file(xserver_tmpfs_t) |
254 | ubac_constrained(xserver_tmpfs_t) | |
488ec7bd | 255 | |
0f5d13fe | 256 | type xsession_exec_t; |
fb63d0b5 | 257 | corecmd_executable_file(xsession_exec_t) |
0f5d13fe | 258 | |
488ec7bd CP |
259 | # Type for the X server log file. |
260 | type xserver_log_t; | |
261 | logging_log_file(xserver_log_t) | |
07620c08 | 262 | |
e070dd2d | 263 | ifdef(`enable_mcs',` |
3f67f722 CP |
264 | init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) |
265 | init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) | |
e070dd2d CP |
266 | ') |
267 | ||
bb7170f6 | 268 | optional_policy(` |
07620c08 CP |
269 | prelink_object_file(xkb_var_lib_t) |
270 | ') | |
0f5d13fe | 271 | |
296273a7 CP |
272 | ######################################## |
273 | # | |
274 | # Iceauth local policy | |
275 | # | |
276 | ||
277 | allow iceauth_t iceauth_home_t:file manage_file_perms; | |
278 | userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) | |
279 | ||
280 | allow xdm_t iceauth_home_t:file read_file_perms; | |
281 | ||
3eaa9939 DW |
282 | dev_read_rand(iceauth_t) |
283 | ||
296273a7 CP |
284 | fs_search_auto_mountpoints(iceauth_t) |
285 | ||
af2d8802 | 286 | userdom_use_inherited_user_terminals(iceauth_t) |
3eaa9939 DW |
287 | userdom_read_user_tmp_files(iceauth_t) |
288 | userdom_read_all_users_state(iceauth_t) | |
ed2ac112 | 289 | userdom_home_manager(iceauth_t) |
296273a7 | 290 | |
aaf8a677 | 291 | ifdef(`hide_broken_symptoms',` |
3eaa9939 DW |
292 | dev_dontaudit_read_urand(iceauth_t) |
293 | dev_dontaudit_rw_dri(iceauth_t) | |
294 | dev_dontaudit_rw_generic_dev_nodes(iceauth_t) | |
295 | fs_dontaudit_list_inotifyfs(iceauth_t) | |
296 | fs_dontaudit_rw_anon_inodefs_files(iceauth_t) | |
aaf8a677 | 297 | term_dontaudit_use_unallocated_ttys(iceauth_t) |
3eaa9939 DW |
298 | |
299 | userdom_dontaudit_read_user_home_content_files(iceauth_t) | |
300 | userdom_dontaudit_write_user_home_content_files(iceauth_t) | |
301 | userdom_dontaudit_write_user_tmp_files(iceauth_t) | |
3eaa9939 DW |
302 | ') |
303 | ||
296273a7 CP |
304 | ######################################## |
305 | # | |
306 | # Xauth local policy | |
307 | # | |
308 | ||
3eaa9939 | 309 | allow xauth_t self:capability dac_override; |
296273a7 | 310 | allow xauth_t self:process signal; |
caf77cbb | 311 | allow xauth_t self:shm create_shm_perms; |
296273a7 | 312 | allow xauth_t self:unix_stream_socket create_stream_socket_perms; |
5a858b7f | 313 | allow xauth_t self:unix_dgram_socket create_socket_perms; |
296273a7 | 314 | |
3eaa9939 DW |
315 | allow xauth_t xdm_t:process sigchld; |
316 | allow xauth_t xserver_t:unix_stream_socket connectto; | |
317 | ||
318 | corenet_tcp_connect_xserver_port(xauth_t) | |
319 | ||
296273a7 CP |
320 | allow xauth_t xauth_home_t:file manage_file_perms; |
321 | userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) | |
3eaa9939 DW |
322 | userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) |
323 | ||
324 | manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) | |
325 | manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) | |
296273a7 CP |
326 | |
327 | manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) | |
328 | manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) | |
329 | files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) | |
330 | ||
3eaa9939 DW |
331 | stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) |
332 | ||
5a858b7f | 333 | kernel_read_network_state(xauth_t) |
3eaa9939 | 334 | kernel_read_system_state(xauth_t) |
db9cae61 CP |
335 | kernel_request_load_module(xauth_t) |
336 | ||
296273a7 | 337 | domain_use_interactive_fds(xauth_t) |
3eaa9939 | 338 | domain_dontaudit_leaks(xauth_t) |
296273a7 CP |
339 | |
340 | files_read_etc_files(xauth_t) | |
3eaa9939 | 341 | files_read_usr_files(xauth_t) |
296273a7 | 342 | files_search_pids(xauth_t) |
3eaa9939 DW |
343 | files_dontaudit_getattr_all_dirs(xauth_t) |
344 | files_dontaudit_leaks(xauth_t) | |
345 | files_var_lib_filetrans(xauth_t, xauth_home_t, file) | |
296273a7 | 346 | |
3eaa9939 DW |
347 | fs_dontaudit_leaks(xauth_t) |
348 | fs_getattr_all_fs(xauth_t) | |
296273a7 CP |
349 | fs_search_auto_mountpoints(xauth_t) |
350 | ||
0a394bf0 DW |
351 | # Probably a leak |
352 | term_dontaudit_use_ptmx(xauth_t) | |
353 | term_dontaudit_use_console(xauth_t) | |
296273a7 CP |
354 | |
355 | auth_use_nsswitch(xauth_t) | |
356 | ||
af2d8802 | 357 | userdom_use_inherited_user_terminals(xauth_t) |
296273a7 | 358 | userdom_read_user_tmp_files(xauth_t) |
3eaa9939 DW |
359 | userdom_read_all_users_state(xauth_t) |
360 | ||
4781493e DG |
361 | xserver_rw_xdm_tmp_files(xauth_t) |
362 | ||
aaf8a677 DG |
363 | ifdef(`hide_broken_symptoms',` |
364 | fs_dontaudit_rw_anon_inodefs_files(xauth_t) | |
365 | fs_dontaudit_list_inotifyfs(xauth_t) | |
366 | userdom_manage_user_home_content_files(xauth_t) | |
367 | userdom_manage_user_tmp_files(xauth_t) | |
368 | dev_dontaudit_rw_generic_dev_nodes(xauth_t) | |
369 | miscfiles_read_fonts(xauth_t) | |
3eaa9939 | 370 | ') |
296273a7 | 371 | |
ed2ac112 | 372 | userdom_home_manager(xauth_t) |
296273a7 | 373 | |
aaf8a677 DG |
374 | ifdef(`hide_broken_symptoms',` |
375 | term_dontaudit_use_unallocated_ttys(xauth_t) | |
3eaa9939 DW |
376 | dev_dontaudit_rw_dri(xauth_t) |
377 | ') | |
378 | ||
379 | optional_policy(` | |
380 | nx_var_lib_filetrans(xauth_t, xauth_home_t, file) | |
381 | ') | |
382 | ||
296273a7 CP |
383 | optional_policy(` |
384 | ssh_sigchld(xauth_t) | |
385 | ssh_read_pipes(xauth_t) | |
386 | ssh_dontaudit_rw_tcp_sockets(xauth_t) | |
387 | ') | |
388 | ||
0f5d13fe CP |
389 | ######################################## |
390 | # | |
391 | # XDM Local policy | |
392 | # | |
393 | ||
995bdbb1 | 394 | allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; |
395 | ||
396 | allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; | |
397 | tunable_policy(`deny_ptrace',`',` | |
398 | allow xdm_t self:process ptrace; | |
399 | ') | |
400 | ||
c0868a7a | 401 | allow xdm_t self:fifo_file rw_fifo_file_perms; |
0f5d13fe CP |
402 | allow xdm_t self:shm create_shm_perms; |
403 | allow xdm_t self:sem create_sem_perms; | |
404 | allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
3eaa9939 | 405 | allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; |
0f5d13fe CP |
406 | allow xdm_t self:tcp_socket create_stream_socket_perms; |
407 | allow xdm_t self:udp_socket create_socket_perms; | |
3eaa9939 | 408 | allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms; |
a5e2133b CP |
409 | allow xdm_t self:socket create_socket_perms; |
410 | allow xdm_t self:appletalk_socket create_socket_perms; | |
411 | allow xdm_t self:key { search link write }; | |
0f5d13fe | 412 | |
3eaa9939 DW |
413 | allow xdm_t xauth_home_t:file manage_file_perms; |
414 | ||
7d1f5642 | 415 | allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; |
3eaa9939 DW |
416 | manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) |
417 | manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) | |
418 | ||
419 | manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) | |
67b181a4 | 420 | userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) |
697e067d | 421 | userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file) |
a11cc065 | 422 | xserver_filetrans_home_content(xdm_t) |
697e067d | 423 | xserver_filetrans_admin_home_content(xdm_t) |
1a49cc1d | 424 | |
3eaa9939 DW |
425 | #Handle mislabeled files in homedir |
426 | userdom_delete_user_home_content_files(xdm_t) | |
427 | userdom_signull_unpriv_users(xdm_t) | |
428 | userdom_dontaudit_read_admin_home_lnk_files(xdm_t) | |
413982c6 | 429 | |
0f5d13fe CP |
430 | # Allow gdm to run gdm-binary |
431 | can_exec(xdm_t, xdm_exec_t) | |
432 | ||
6b19be33 | 433 | allow xdm_t xdm_lock_t:file manage_file_perms; |
0bfccda4 | 434 | files_lock_filetrans(xdm_t, xdm_lock_t, file) |
6b19be33 | 435 | |
3eaa9939 DW |
436 | read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) |
437 | read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) | |
0f5d13fe CP |
438 | # wdm has its own config dir /etc/X11/wdm |
439 | # this is ugly, daemons should not create files under /etc! | |
0bfccda4 | 440 | manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) |
0f5d13fe | 441 | |
0bfccda4 CP |
442 | manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) |
443 | manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) | |
3eaa9939 | 444 | manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) |
0bfccda4 | 445 | manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) |
3eaa9939 DW |
446 | files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) |
447 | relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) | |
448 | relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) | |
5bca3cad | 449 | can_exec(xdm_t, xdm_tmp_t) |
6b19be33 | 450 | |
0bfccda4 CP |
451 | manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) |
452 | manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) | |
453 | manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) | |
454 | manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) | |
455 | manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) | |
3eaa9939 DW |
456 | |
457 | manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) | |
458 | ||
459 | files_search_spool(xdm_t) | |
460 | manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) | |
461 | manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) | |
462 | files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) | |
6b19be33 | 463 | |
aaf8a677 | 464 | manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) |
0bfccda4 | 465 | manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) |
3eaa9939 DW |
466 | manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) |
467 | manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) | |
468 | files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) | |
469 | # Read machine-id | |
470 | files_read_var_lib_files(xdm_t) | |
6b19be33 | 471 | |
0bfccda4 CP |
472 | manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) |
473 | manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) | |
474 | manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) | |
3eaa9939 DW |
475 | manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) |
476 | files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) | |
6b19be33 | 477 | |
3eaa9939 | 478 | allow xdm_t xserver_t:process { signal signull }; |
296273a7 | 479 | allow xdm_t xserver_t:unix_stream_socket connectto; |
6b19be33 | 480 | |
296273a7 | 481 | allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; |
7d1f5642 | 482 | allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; |
6b19be33 CP |
483 | |
484 | # transition to the xdm xserver | |
296273a7 | 485 | domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) |
3eaa9939 DW |
486 | |
487 | ps_process_pattern(xserver_t, xdm_t) | |
296273a7 CP |
488 | allow xserver_t xdm_t:process signal; |
489 | allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; | |
6b19be33 | 490 | |
296273a7 | 491 | allow xdm_t xserver_t:shm rw_shm_perms; |
3eaa9939 | 492 | read_files_pattern(xdm_t, xserver_t, xserver_t) |
6b19be33 CP |
493 | |
494 | # connect to xdm xserver over stream socket | |
3f67f722 | 495 | stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) |
6b19be33 CP |
496 | |
497 | # Remove /tmp/.X11-unix/X0. | |
3f67f722 CP |
498 | delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) |
499 | delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) | |
6b19be33 | 500 | |
3eaa9939 DW |
501 | manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) |
502 | manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) | |
503 | manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) | |
504 | logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) | |
505 | ||
0bfccda4 CP |
506 | manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) |
507 | manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) | |
508 | manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) | |
6b19be33 | 509 | |
0f5d13fe | 510 | kernel_read_system_state(xdm_t) |
3eaa9939 | 511 | kernel_read_device_sysctls(xdm_t) |
445522dc | 512 | kernel_read_kernel_sysctls(xdm_t) |
a5e2133b CP |
513 | kernel_read_net_sysctls(xdm_t) |
514 | kernel_read_network_state(xdm_t) | |
3eaa9939 DW |
515 | kernel_request_load_module(xdm_t) |
516 | kernel_stream_connect(xdm_t) | |
0f5d13fe CP |
517 | |
518 | corecmd_exec_shell(xdm_t) | |
519 | corecmd_exec_bin(xdm_t) | |
465f988e | 520 | corecmd_dontaudit_access_all_executables(xdm_t) |
0f5d13fe | 521 | |
19006686 CP |
522 | corenet_all_recvfrom_unlabeled(xdm_t) |
523 | corenet_all_recvfrom_netlabel(xdm_t) | |
0f5d13fe CP |
524 | corenet_tcp_sendrecv_generic_if(xdm_t) |
525 | corenet_udp_sendrecv_generic_if(xdm_t) | |
c1262146 CP |
526 | corenet_tcp_sendrecv_generic_node(xdm_t) |
527 | corenet_udp_sendrecv_generic_node(xdm_t) | |
0f5d13fe CP |
528 | corenet_tcp_sendrecv_all_ports(xdm_t) |
529 | corenet_udp_sendrecv_all_ports(xdm_t) | |
c1262146 CP |
530 | corenet_tcp_bind_generic_node(xdm_t) |
531 | corenet_udp_bind_generic_node(xdm_t) | |
3eaa9939 DW |
532 | corenet_udp_bind_ipp_port(xdm_t) |
533 | corenet_udp_bind_xdmcp_port(xdm_t) | |
0f5d13fe | 534 | corenet_tcp_connect_all_ports(xdm_t) |
141cffdd | 535 | corenet_sendrecv_all_client_packets(xdm_t) |
0f5d13fe CP |
536 | # xdm tries to bind to biff_port_t |
537 | corenet_dontaudit_tcp_bind_all_ports(xdm_t) | |
538 | ||
3eaa9939 | 539 | dev_rwx_zero(xdm_t) |
0f5d13fe | 540 | dev_read_rand(xdm_t) |
03527520 | 541 | dev_rw_sysfs(xdm_t) |
207c4763 CP |
542 | dev_getattr_framebuffer_dev(xdm_t) |
543 | dev_setattr_framebuffer_dev(xdm_t) | |
544 | dev_getattr_mouse_dev(xdm_t) | |
545 | dev_setattr_mouse_dev(xdm_t) | |
0f5d13fe | 546 | dev_rw_apm_bios(xdm_t) |
3eaa9939 | 547 | dev_rw_input_dev(xdm_t) |
207c4763 CP |
548 | dev_setattr_apm_bios_dev(xdm_t) |
549 | dev_rw_dri(xdm_t) | |
550 | dev_rw_agp(xdm_t) | |
0f5d13fe CP |
551 | dev_getattr_xserver_misc_dev(xdm_t) |
552 | dev_setattr_xserver_misc_dev(xdm_t) | |
0d9d0f86 | 553 | dev_rw_xserver_misc(xdm_t) |
207c4763 CP |
554 | dev_getattr_misc_dev(xdm_t) |
555 | dev_setattr_misc_dev(xdm_t) | |
0f5d13fe | 556 | dev_dontaudit_rw_misc(xdm_t) |
3eaa9939 DW |
557 | dev_read_video_dev(xdm_t) |
558 | dev_write_video_dev(xdm_t) | |
0f5d13fe | 559 | dev_setattr_video_dev(xdm_t) |
207c4763 CP |
560 | dev_getattr_scanner_dev(xdm_t) |
561 | dev_setattr_scanner_dev(xdm_t) | |
3eaa9939 DW |
562 | dev_read_sound(xdm_t) |
563 | dev_write_sound(xdm_t) | |
207c4763 CP |
564 | dev_getattr_power_mgmt_dev(xdm_t) |
565 | dev_setattr_power_mgmt_dev(xdm_t) | |
3eaa9939 DW |
566 | dev_getattr_null_dev(xdm_t) |
567 | dev_setattr_null_dev(xdm_t) | |
0f5d13fe | 568 | |
15722ec9 | 569 | domain_use_interactive_fds(xdm_t) |
0f5d13fe CP |
570 | # Do not audit denied probes of /proc. |
571 | domain_dontaudit_read_all_domains_state(xdm_t) | |
3eaa9939 | 572 | domain_dontaudit_ptrace_all_domains(xdm_t) |
1a82786c | 573 | domain_dontaudit_signal_all_domains(xdm_t) |
86cfdcd3 | 574 | domain_dontaudit_getattr_all_entry_files(xdm_t) |
0f5d13fe CP |
575 | |
576 | files_read_etc_files(xdm_t) | |
a5e2133b | 577 | files_read_var_files(xdm_t) |
0f5d13fe CP |
578 | files_read_etc_runtime_files(xdm_t) |
579 | files_exec_etc_files(xdm_t) | |
580 | files_list_mnt(xdm_t) | |
581 | # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... | |
582 | files_read_usr_files(xdm_t) | |
583 | # Poweroff wants to create the /poweroff file when run from xdm | |
584 | files_create_boot_flag(xdm_t) | |
3eaa9939 DW |
585 | files_dontaudit_getattr_boot_dirs(xdm_t) |
586 | files_dontaudit_write_usr_files(xdm_t) | |
bde923a7 | 587 | files_dontaudit_access_check_etc(xdm_t) |
3eaa9939 DW |
588 | files_dontaudit_getattr_all_dirs(xdm_t) |
589 | files_dontaudit_getattr_all_symlinks(xdm_t) | |
9bb35815 | 590 | files_dontaudit_getattr_all_tmp_sockets(xdm_t) |
998e4fa4 | 591 | files_dontaudit_all_access_check(xdm_t) |
0f5d13fe CP |
592 | |
593 | fs_getattr_all_fs(xdm_t) | |
594 | fs_search_auto_mountpoints(xdm_t) | |
3eaa9939 DW |
595 | fs_rw_anon_inodefs_files(xdm_t) |
596 | fs_mount_tmpfs(xdm_t) | |
ab9d1c17 MG |
597 | fs_list_inotifyfs(xdm_t) |
598 | fs_dontaudit_list_noxattr_fs(xdm_t) | |
599 | fs_dontaudit_read_noxattr_fs_files(xdm_t) | |
600 | fs_manage_cgroup_dirs(xdm_t) | |
601 | fs_manage_cgroup_files(xdm_t) | |
3eaa9939 DW |
602 | |
603 | mls_socket_write_to_clearance(xdm_t) | |
0f5d13fe | 604 | |
0f5d13fe CP |
605 | storage_dontaudit_read_fixed_disk(xdm_t) |
606 | storage_dontaudit_write_fixed_disk(xdm_t) | |
1815bad1 | 607 | storage_dontaudit_setattr_fixed_disk_dev(xdm_t) |
0f5d13fe CP |
608 | storage_dontaudit_raw_read_removable_device(xdm_t) |
609 | storage_dontaudit_raw_write_removable_device(xdm_t) | |
1815bad1 | 610 | storage_dontaudit_setattr_removable_dev(xdm_t) |
0f5d13fe | 611 | storage_dontaudit_rw_scsi_generic(xdm_t) |
3eaa9939 | 612 | storage_dontaudit_rw_fuse(xdm_t) |
0f5d13fe CP |
613 | |
614 | term_setattr_console(xdm_t) | |
3eaa9939 | 615 | term_use_console(xdm_t) |
3923f62a | 616 | term_use_virtio_console(xdm_t) |
1815bad1 | 617 | term_use_unallocated_ttys(xdm_t) |
0f5d13fe | 618 | term_setattr_unallocated_ttys(xdm_t) |
3eaa9939 DW |
619 | term_relabel_all_ttys(xdm_t) |
620 | term_relabel_unallocated_ttys(xdm_t) | |
0f5d13fe | 621 | |
6b19be33 | 622 | auth_domtrans_pam_console(xdm_t) |
0f5d13fe | 623 | auth_manage_pam_pid(xdm_t) |
0f5d13fe | 624 | auth_manage_pam_console_data(xdm_t) |
3eaa9939 | 625 | auth_signal_pam(xdm_t) |
a5e2133b CP |
626 | auth_rw_faillog(xdm_t) |
627 | auth_write_login_records(xdm_t) | |
0f5d13fe | 628 | |
0f5d13fe | 629 | # Run telinit->init to shutdown. |
a5f5eba4 | 630 | init_telinit(xdm_t) |
3eaa9939 | 631 | init_dbus_chat(xdm_t) |
0f5d13fe | 632 | |
0f5d13fe CP |
633 | libs_exec_lib_files(xdm_t) |
634 | ||
0f5d13fe CP |
635 | logging_read_generic_logs(xdm_t) |
636 | ||
3eaa9939 | 637 | miscfiles_search_man_pages(xdm_t) |
0f5d13fe CP |
638 | miscfiles_read_localization(xdm_t) |
639 | miscfiles_read_fonts(xdm_t) | |
3eaa9939 DW |
640 | miscfiles_manage_fonts_cache(xdm_t) |
641 | miscfiles_manage_localization(xdm_t) | |
642 | miscfiles_read_hwdata(xdm_t) | |
0f5d13fe | 643 | |
15722ec9 | 644 | userdom_dontaudit_use_unpriv_user_fds(xdm_t) |
fe3a1eb8 | 645 | userdom_create_all_users_keys(xdm_t) |
0f5d13fe | 646 | # for .dmrc |
296273a7 | 647 | userdom_read_user_home_content_files(xdm_t) |
0f5d13fe | 648 | # Search /proc for any user domain processes. |
1815bad1 | 649 | userdom_read_all_users_state(xdm_t) |
0f5d13fe | 650 | userdom_signal_all_users(xdm_t) |
3eaa9939 DW |
651 | userdom_stream_connect(xdm_t) |
652 | userdom_manage_user_tmp_dirs(xdm_t) | |
653 | userdom_manage_user_tmp_files(xdm_t) | |
654 | userdom_manage_user_tmp_sockets(xdm_t) | |
655 | userdom_manage_tmpfs_role(system_r, xdm_t) | |
ed2ac112 | 656 | userdom_home_manager(xdm_t) |
3eaa9939 DW |
657 | |
658 | application_signal(xdm_t) | |
0f5d13fe | 659 | |
3f67f722 | 660 | xserver_rw_session(xdm_t, xdm_tmpfs_t) |
2c12b471 | 661 | xserver_unconfined(xdm_t) |
4e6b3f6d | 662 | xserver_domtrans_xauth(xdm_t) |
0f5d13fe | 663 | |
4781493e DG |
664 | ifndef(`distro_redhat',` |
665 | allow xdm_t self:process { execheap execmem }; | |
666 | ') | |
667 | ||
668 | ifdef(`distro_rhel4',` | |
669 | allow xdm_t self:process { execheap execmem }; | |
670 | ') | |
671 | ||
0f5d13fe | 672 | tunable_policy(`use_nfs_home_dirs',` |
4d851fe9 | 673 | fs_exec_nfs_files(xdm_t) |
0f5d13fe CP |
674 | ') |
675 | ||
676 | tunable_policy(`use_samba_home_dirs',` | |
4d851fe9 | 677 | fs_exec_cifs_files(xdm_t) |
0f5d13fe CP |
678 | ') |
679 | ||
0de56606 MG |
680 | optional_policy(` |
681 | tunable_policy(`xdm_exec_bootloader',` | |
682 | bootloader_exec(xdm_t) | |
683 | files_read_boot_files(xdm_t) | |
684 | files_read_boot_symlinks(xdm_t) | |
685 | ') | |
6aff8c7e MG |
686 | ') |
687 | ||
6b19be33 CP |
688 | tunable_policy(`xdm_sysadm_login',` |
689 | userdom_xsession_spec_domtrans_all_users(xdm_t) | |
690 | # FIXME: | |
691 | # xserver_rw_session_template(xdm,userdomain) | |
692 | ',` | |
693 | userdom_xsession_spec_domtrans_unpriv_users(xdm_t) | |
694 | # FIXME: | |
695 | # xserver_rw_session_template(xdm,unpriv_userdomain) | |
296273a7 CP |
696 | # dontaudit xserver_t sysadm_t:shm { unix_read unix_write }; |
697 | # allow xserver_t xdm_tmpfs_t:file rw_file_perms; | |
6b19be33 CP |
698 | ') |
699 | ||
3eaa9939 DW |
700 | optional_policy(` |
701 | accountsd_read_lib_files(xdm_t) | |
702 | ') | |
703 | ||
4cee2dc1 DW |
704 | optional_policy(` |
705 | acct_dontaudit_list_data(xdm_t) | |
706 | ') | |
707 | ||
6b19be33 CP |
708 | optional_policy(` |
709 | alsa_domtrans(xdm_t) | |
3eaa9939 | 710 | alsa_read_rw_config(xdm_t) |
6b19be33 CP |
711 | ') |
712 | ||
e66689f7 CP |
713 | optional_policy(` |
714 | consolekit_dbus_chat(xdm_t) | |
3eaa9939 | 715 | consolekit_read_log(xdm_t) |
e66689f7 CP |
716 | ') |
717 | ||
3b914745 | 718 | optional_policy(` |
46551033 | 719 | consoletype_exec(xdm_t) |
3b914745 CP |
720 | ') |
721 | ||
3eaa9939 DW |
722 | optional_policy(` |
723 | # Use dbus to start other processes as xdm_t | |
724 | dbus_role_template(xdm, system_r, xdm_t) | |
62b52308 MG |
725 | |
726 | #fixes for xfce4-notifyd | |
727 | allow xdm_dbusd_t self:unix_stream_socket connectto; | |
728 | allow xdm_dbusd_t xserver_t:unix_stream_socket connectto; | |
3eaa9939 DW |
729 | |
730 | dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; | |
731 | xserver_xdm_append_log(xdm_dbusd_t) | |
732 | xserver_read_xdm_pid(xdm_dbusd_t) | |
62b52308 MG |
733 | |
734 | miscfiles_read_fonts(xdm_dbusd_t) | |
3eaa9939 DW |
735 | |
736 | corecmd_bin_entry_type(xdm_t) | |
737 | ||
738 | dbus_system_bus_client(xdm_t) | |
739 | ||
740 | optional_policy(` | |
741 | bluetooth_dbus_chat(xdm_t) | |
742 | ') | |
743 | ||
37a876b1 | 744 | optional_policy(` |
ab9d1c17 | 745 | cpufreqselector_dbus_chat(xdm_t) |
37a876b1 DW |
746 | ') |
747 | ||
3eaa9939 DW |
748 | optional_policy(` |
749 | devicekit_dbus_chat_disk(xdm_t) | |
750 | devicekit_dbus_chat_power(xdm_t) | |
751 | ') | |
752 | ||
753 | optional_policy(` | |
754 | hal_dbus_chat(xdm_t) | |
755 | ') | |
756 | ||
757 | optional_policy(` | |
758 | networkmanager_dbus_chat(xdm_t) | |
759 | ') | |
3eaa9939 DW |
760 | ') |
761 | ||
bb7170f6 | 762 | optional_policy(` |
0f5d13fe CP |
763 | # Talk to the console mouse server. |
764 | gpm_stream_connect(xdm_t) | |
765 | gpm_setattr_gpmctl(xdm_t) | |
766 | ') | |
767 | ||
3eaa9939 | 768 | optional_policy(` |
ca9e8850 | 769 | gnome_exec_keyringd(xdm_t) |
3eaa9939 DW |
770 | gnome_manage_config(xdm_t) |
771 | gnome_manage_gconf_home_files(xdm_t) | |
7448939f | 772 | gnome_filetrans_home_content(xdm_t) |
3eaa9939 | 773 | gnome_read_config(xdm_t) |
6174d664 | 774 | gnome_read_usr_config(xdm_t) |
3eaa9939 | 775 | gnome_read_gconf_config(xdm_t) |
31f04122 | 776 | gnome_transition_gkeyringd(xdm_t) |
3eaa9939 DW |
777 | ') |
778 | ||
bb7170f6 | 779 | optional_policy(` |
0f5d13fe CP |
780 | hostname_exec(xdm_t) |
781 | ') | |
782 | ||
bb7170f6 | 783 | optional_policy(` |
0f5d13fe CP |
784 | loadkeys_exec(xdm_t) |
785 | ') | |
786 | ||
bb7170f6 | 787 | optional_policy(` |
0f5d13fe CP |
788 | locallogin_signull(xdm_t) |
789 | ') | |
790 | ||
bb7170f6 | 791 | optional_policy(` |
0f5d13fe | 792 | # Do not audit attempts to check whether user root has email |
1815bad1 | 793 | mta_dontaudit_getattr_spool_files(xdm_t) |
0f5d13fe CP |
794 | ') |
795 | ||
3eaa9939 | 796 | optional_policy(` |
aaf8a677 | 797 | policykit_dbus_chat(xdm_t) |
3eaa9939 DW |
798 | policykit_domtrans_auth(xdm_t) |
799 | policykit_read_lib(xdm_t) | |
800 | policykit_read_reload(xdm_t) | |
801 | policykit_signal_auth(xdm_t) | |
802 | ') | |
803 | ||
804 | optional_policy(` | |
805 | pcscd_stream_connect(xdm_t) | |
806 | ') | |
807 | ||
808 | optional_policy(` | |
809 | plymouthd_search_spool(xdm_t) | |
810 | plymouthd_exec_plymouth(xdm_t) | |
f5b49a5e | 811 | plymouthd_stream_connect(xdm_t) |
5505450b | 812 | plymouthd_read_log(xdm_t) |
3eaa9939 DW |
813 | ') |
814 | ||
815 | optional_policy(` | |
816 | pulseaudio_exec(xdm_t) | |
817 | pulseaudio_dbus_chat(xdm_t) | |
818 | pulseaudio_stream_connect(xdm_t) | |
819 | ') | |
820 | ||
296273a7 CP |
821 | optional_policy(` |
822 | resmgr_stream_connect(xdm_t) | |
823 | ') | |
824 | ||
bdc8dc83 MG |
825 | optional_policy(` |
826 | rhev_stream_connect_agentd(xdm_t) | |
827 | rhev_read_pid_files_agentd(xdm_t) | |
828 | ') | |
829 | ||
3eaa9939 DW |
830 | # On crash gdm execs gdb to dump stack |
831 | optional_policy(` | |
832 | rpm_exec(xdm_t) | |
833 | rpm_read_db(xdm_t) | |
834 | rpm_dontaudit_manage_db(xdm_t) | |
c4b9f69a | 835 | rpm_dontaudit_dbus_chat(xdm_t) |
3eaa9939 DW |
836 | ') |
837 | ||
838 | optional_policy(` | |
839 | rtkit_scheduled(xdm_t) | |
840 | ') | |
841 | ||
bb7170f6 | 842 | optional_policy(` |
0f5d13fe CP |
843 | seutil_sigchld_newrole(xdm_t) |
844 | ') | |
845 | ||
3eaa9939 DW |
846 | optional_policy(` |
847 | ssh_signull(xdm_t) | |
848 | ') | |
849 | ||
850 | optional_policy(` | |
851 | shutdown_domtrans(xdm_t) | |
852 | ') | |
853 | ||
bb7170f6 | 854 | optional_policy(` |
0f5d13fe CP |
855 | udev_read_db(xdm_t) |
856 | ') | |
857 | ||
350b6ab7 | 858 | optional_policy(` |
3eaa9939 DW |
859 | unconfined_signal(xdm_t) |
860 | ') | |
350b6ab7 | 861 | |
bb7170f6 | 862 | optional_policy(` |
0f5d13fe CP |
863 | userhelper_dontaudit_search_config(xdm_t) |
864 | ') | |
865 | ||
bb7170f6 | 866 | optional_policy(` |
0f5d13fe CP |
867 | usermanage_read_crack_db(xdm_t) |
868 | ') | |
869 | ||
a6089d01 MG |
870 | optional_policy(` |
871 | vdagent_stream_connect(xdm_t) | |
872 | ') | |
873 | ||
bb7170f6 | 874 | optional_policy(` |
0f5d13fe CP |
875 | xfs_stream_connect(xdm_t) |
876 | ') | |
877 | ||
296273a7 CP |
878 | ######################################## |
879 | # | |
880 | # X server local policy | |
881 | # | |
882 | ||
f267f853 EW |
883 | # X Object Manager rules |
884 | type_transition xserver_t xserver_t:x_drawable root_xdrawable_t; | |
885 | type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; | |
886 | type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; | |
887 | ||
888 | allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; | |
889 | allow xserver_t input_xevent_t:x_event send; | |
890 | ||
296273a7 CP |
891 | # setuid/setgid for the wrapper program to change UID |
892 | # sys_rawio is for iopl access - should not be needed for frame-buffer | |
893 | # sys_admin, locking shared mem? chowning IPC message queues or semaphores? | |
894 | # admin of APM bios? | |
895 | # sys_nice is so that the X server can set a negative nice value | |
896 | # execheap needed until the X module loader is fixed. | |
897 | # NVIDIA Needs execstack | |
898 | ||
995bdbb1 | 899 | allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; |
900 | ||
296273a7 CP |
901 | dontaudit xserver_t self:capability chown; |
902 | allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
296273a7 CP |
903 | allow xserver_t self:fd use; |
904 | allow xserver_t self:fifo_file rw_fifo_file_perms; | |
905 | allow xserver_t self:sock_file read_sock_file_perms; | |
906 | allow xserver_t self:shm create_shm_perms; | |
907 | allow xserver_t self:sem create_sem_perms; | |
908 | allow xserver_t self:msgq create_msgq_perms; | |
909 | allow xserver_t self:msg { send receive }; | |
910 | allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; | |
911 | allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
912 | allow xserver_t self:tcp_socket create_stream_socket_perms; | |
913 | allow xserver_t self:udp_socket create_socket_perms; | |
3eaa9939 DW |
914 | allow xserver_t self:netlink_selinux_socket create_socket_perms; |
915 | allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; | |
916 | ||
3eaa9939 DW |
917 | allow xserver_t { input_xevent_t input_xevent_type }:x_event send; |
918 | ||
919 | domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) | |
920 | ||
921 | allow xserver_t xauth_home_t:file read_file_perms; | |
296273a7 | 922 | |
296273a7 CP |
923 | manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
924 | manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) | |
925 | manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) | |
926 | files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) | |
927 | ||
3f67f722 | 928 | filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) |
296273a7 CP |
929 | |
930 | manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) | |
931 | manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) | |
932 | manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) | |
933 | manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) | |
934 | manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) | |
935 | fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
936 | ||
937 | manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) | |
938 | manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) | |
939 | files_search_var_lib(xserver_t) | |
940 | ||
aaf8a677 | 941 | manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) |
3eaa9939 DW |
942 | manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) |
943 | files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) | |
944 | ||
aaf8a677 | 945 | manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) |
3eaa9939 DW |
946 | manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) |
947 | manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) | |
948 | files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) | |
f267f853 | 949 | |
296273a7 CP |
950 | # Create files in /var/log with the xserver_log_t type. |
951 | manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) | |
3f67f722 | 952 | logging_log_filetrans(xserver_t, xserver_log_t, file) |
3eaa9939 | 953 | manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) |
296273a7 CP |
954 | |
955 | kernel_read_system_state(xserver_t) | |
956 | kernel_read_device_sysctls(xserver_t) | |
957 | kernel_read_modprobe_sysctls(xserver_t) | |
958 | # Xorg wants to check if kernel is tainted | |
959 | kernel_read_kernel_sysctls(xserver_t) | |
960 | kernel_write_proc_files(xserver_t) | |
3eaa9939 | 961 | kernel_request_load_module(xserver_t) |
296273a7 CP |
962 | |
963 | # Run helper programs in xserver_t. | |
964 | corecmd_exec_bin(xserver_t) | |
965 | corecmd_exec_shell(xserver_t) | |
966 | ||
967 | corenet_all_recvfrom_unlabeled(xserver_t) | |
968 | corenet_all_recvfrom_netlabel(xserver_t) | |
969 | corenet_tcp_sendrecv_generic_if(xserver_t) | |
970 | corenet_udp_sendrecv_generic_if(xserver_t) | |
c1262146 CP |
971 | corenet_tcp_sendrecv_generic_node(xserver_t) |
972 | corenet_udp_sendrecv_generic_node(xserver_t) | |
296273a7 CP |
973 | corenet_tcp_sendrecv_all_ports(xserver_t) |
974 | corenet_udp_sendrecv_all_ports(xserver_t) | |
c1262146 | 975 | corenet_tcp_bind_generic_node(xserver_t) |
296273a7 CP |
976 | corenet_tcp_bind_xserver_port(xserver_t) |
977 | corenet_tcp_connect_all_ports(xserver_t) | |
978 | corenet_sendrecv_xserver_server_packets(xserver_t) | |
979 | corenet_sendrecv_all_client_packets(xserver_t) | |
980 | ||
981 | dev_rw_sysfs(xserver_t) | |
982 | dev_rw_mouse(xserver_t) | |
983 | dev_rw_mtrr(xserver_t) | |
984 | dev_rw_apm_bios(xserver_t) | |
985 | dev_rw_agp(xserver_t) | |
986 | dev_rw_framebuffer(xserver_t) | |
987 | dev_manage_dri_dev(xserver_t) | |
988 | dev_create_generic_dirs(xserver_t) | |
989 | dev_setattr_generic_dirs(xserver_t) | |
990 | # raw memory access is needed if not using the frame buffer | |
991 | dev_read_raw_memory(xserver_t) | |
992 | dev_wx_raw_memory(xserver_t) | |
993 | # for other device nodes such as the NVidia binary-only driver | |
8f0bdccb | 994 | dev_manage_xserver_misc(xserver_t) |
c3ee2157 | 995 | dev_filetrans_xserver_misc(xserver_t) |
8f0bdccb | 996 | |
296273a7 CP |
997 | # read events - the synaptics touchpad driver reads raw events |
998 | dev_rw_input_dev(xserver_t) | |
3eaa9939 DW |
999 | dev_read_raw_memory(xserver_t) |
1000 | dev_write_raw_memory(xserver_t) | |
296273a7 CP |
1001 | dev_rwx_zero(xserver_t) |
1002 | ||
3eaa9939 DW |
1003 | domain_dontaudit_read_all_domains_state(xserver_t) |
1004 | domain_signal_all_domains(xserver_t) | |
296273a7 CP |
1005 | |
1006 | files_read_etc_files(xserver_t) | |
1007 | files_read_etc_runtime_files(xserver_t) | |
1008 | files_read_usr_files(xserver_t) | |
b45aaab9 | 1009 | files_rw_tmpfs_files(xserver_t) |
296273a7 CP |
1010 | |
1011 | # brought on by rhgb | |
1012 | files_search_mnt(xserver_t) | |
1013 | # for nscd | |
1014 | files_dontaudit_search_pids(xserver_t) | |
1015 | ||
1016 | fs_getattr_xattr_fs(xserver_t) | |
1017 | fs_search_nfs(xserver_t) | |
1018 | fs_search_auto_mountpoints(xserver_t) | |
1019 | fs_search_ramfs(xserver_t) | |
3eaa9939 | 1020 | fs_rw_tmpfs_files(xserver_t) |
296273a7 CP |
1021 | |
1022 | mls_xwin_read_to_clearance(xserver_t) | |
3eaa9939 DW |
1023 | mls_process_write_to_clearance(xserver_t) |
1024 | mls_file_read_to_clearance(xserver_t) | |
1025 | mls_file_write_all_levels(xserver_t) | |
1026 | mls_file_upgrade(xserver_t) | |
296273a7 CP |
1027 | |
1028 | selinux_validate_context(xserver_t) | |
1029 | selinux_compute_access_vector(xserver_t) | |
1030 | selinux_compute_create_context(xserver_t) | |
1031 | ||
1032 | auth_use_nsswitch(xserver_t) | |
1033 | ||
1034 | init_getpgid(xserver_t) | |
1035 | ||
1036 | term_setattr_unallocated_ttys(xserver_t) | |
1037 | term_use_unallocated_ttys(xserver_t) | |
1038 | ||
296273a7 CP |
1039 | locallogin_use_fds(xserver_t) |
1040 | ||
1041 | logging_send_syslog_msg(xserver_t) | |
1042 | logging_send_audit_msgs(xserver_t) | |
1043 | ||
1044 | miscfiles_read_localization(xserver_t) | |
1045 | miscfiles_read_fonts(xserver_t) | |
3eaa9939 | 1046 | miscfiles_read_hwdata(xserver_t) |
296273a7 | 1047 | |
296273a7 CP |
1048 | # read x_contexts |
1049 | seutil_read_default_contexts(xserver_t) | |
3eaa9939 DW |
1050 | seutil_read_config(xserver_t) |
1051 | seutil_read_file_contexts(xserver_t) | |
296273a7 CP |
1052 | |
1053 | userdom_search_user_home_dirs(xserver_t) | |
1054 | userdom_use_user_ttys(xserver_t) | |
1055 | userdom_setattr_user_ttys(xserver_t) | |
7b40532b | 1056 | userdom_read_user_tmp_files(xserver_t) |
296273a7 CP |
1057 | userdom_rw_user_tmpfs_files(xserver_t) |
1058 | ||
1059 | xserver_use_user_fonts(xserver_t) | |
1060 | ||
1061 | ifndef(`distro_redhat',` | |
1062 | allow xserver_t self:process { execmem execheap execstack }; | |
623e4f08 | 1063 | domain_mmap_low_uncond(xserver_t) |
296273a7 CP |
1064 | ') |
1065 | ||
1066 | ifdef(`distro_rhel4',` | |
1067 | allow xserver_t self:process { execmem execheap execstack }; | |
1068 | ') | |
1069 | ||
1070 | ifdef(`enable_mls',` | |
1071 | range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; | |
7f491942 | 1072 | range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; |
296273a7 CP |
1073 | ') |
1074 | ||
1075 | tunable_policy(`!xserver_object_manager',` | |
1076 | # should be xserver_unconfined(xserver_t), | |
1077 | # but typeattribute doesnt work in conditionals | |
1078 | ||
1079 | allow xserver_t xserver_t:x_server *; | |
f267f853 | 1080 | allow xserver_t { x_domain root_xdrawable_t }:x_drawable *; |
296273a7 CP |
1081 | allow xserver_t xserver_t:x_screen *; |
1082 | allow xserver_t x_domain:x_gc *; | |
f267f853 | 1083 | allow xserver_t { x_domain root_xcolormap_t }:x_colormap *; |
296273a7 CP |
1084 | allow xserver_t xproperty_type:x_property *; |
1085 | allow xserver_t xselection_type:x_selection *; | |
1086 | allow xserver_t x_domain:x_cursor *; | |
f267f853 | 1087 | allow xserver_t x_domain:x_client *; |
296273a7 | 1088 | allow xserver_t { x_domain xserver_t }:x_device *; |
f267f853 EW |
1089 | allow xserver_t { x_domain xserver_t }:x_pointer *; |
1090 | allow xserver_t { x_domain xserver_t }:x_keyboard *; | |
296273a7 CP |
1091 | allow xserver_t xextension_type:x_extension *; |
1092 | allow xserver_t { x_domain xserver_t }:x_resource *; | |
1093 | allow xserver_t xevent_type:{ x_event x_synthetic_event } *; | |
1094 | ') | |
1095 | ||
1096 | optional_policy(` | |
1097 | apm_stream_connect(xserver_t) | |
1098 | ') | |
1099 | ||
1100 | optional_policy(` | |
1101 | auth_search_pam_console_data(xserver_t) | |
1102 | ') | |
1103 | ||
85417ed7 DW |
1104 | optional_policy(` |
1105 | consolekit_read_state(xserver_t) | |
1106 | ') | |
1107 | ||
3eaa9939 DW |
1108 | optional_policy(` |
1109 | devicekit_signal_power(xserver_t) | |
1110 | ') | |
1111 | ||
79ecef4e MG |
1112 | optional_policy(` |
1113 | getty_use_fds(xserver_t) | |
1114 | ') | |
1115 | ||
2371d8d8 MG |
1116 | optional_policy(` |
1117 | modutils_domtrans_insmod(xserver_t) | |
1118 | ') | |
1119 | ||
296273a7 CP |
1120 | optional_policy(` |
1121 | rhgb_getpgid(xserver_t) | |
1122 | rhgb_signal(xserver_t) | |
1123 | ') | |
1124 | ||
1125 | optional_policy(` | |
3eaa9939 DW |
1126 | setrans_translate_context(xserver_t) |
1127 | ') | |
1128 | ||
1129 | optional_policy(` | |
1130 | sandbox_rw_xserver_tmpfs_files(xserver_t) | |
1131 | ') | |
1132 | ||
1133 | optional_policy(` | |
1134 | udev_read_db(xserver_t) | |
1135 | ') | |
1136 | ||
3eaa9939 | 1137 | optional_policy(` |
594e29e6 | 1138 | unconfined_domain(xserver_t) |
296273a7 CP |
1139 | unconfined_domtrans(xserver_t) |
1140 | ') | |
1141 | ||
1142 | optional_policy(` | |
1143 | userhelper_search_config(xserver_t) | |
1144 | ') | |
1145 | ||
1146 | optional_policy(` | |
1147 | xfs_stream_connect(xserver_t) | |
1148 | ') | |
1149 | ||
0f5d13fe CP |
1150 | ######################################## |
1151 | # | |
1152 | # XDM Xserver local policy | |
1153 | # | |
296273a7 CP |
1154 | # cjp: when xdm is configurable via tunable these |
1155 | # rules will be enabled only when xdm is enabled | |
0f5d13fe | 1156 | |
296273a7 CP |
1157 | allow xserver_t xdm_t:process { signal getpgid }; |
1158 | allow xserver_t xdm_t:shm rw_shm_perms; | |
5a975c1e | 1159 | |
296273a7 | 1160 | # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open |
5a975c1e | 1161 | # handle of a file inside the dir!!! |
3eaa9939 | 1162 | allow xserver_t xdm_var_lib_t:file read_file_perms; |
7d1f5642 | 1163 | dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; |
0f5d13fe | 1164 | |
3eaa9939 | 1165 | read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) |
0f5d13fe | 1166 | |
5a975c1e | 1167 | # Label pid and temporary files with derived types. |
296273a7 CP |
1168 | manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) |
1169 | manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) | |
1170 | manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) | |
0f5d13fe | 1171 | |
5a975c1e | 1172 | # Run xkbcomp. |
7d1f5642 | 1173 | allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; |
296273a7 | 1174 | can_exec(xserver_t, xkb_var_lib_t) |
0f5d13fe | 1175 | |
5a975c1e | 1176 | # VNC v4 module in X server |
296273a7 | 1177 | corenet_tcp_bind_vnc_port(xserver_t) |
0f5d13fe | 1178 | |
296273a7 | 1179 | init_use_fds(xserver_t) |
0f5d13fe | 1180 | |
6b19be33 | 1181 | # FIXME: After per user fonts are properly working |
296273a7 | 1182 | # xserver_t may no longer have any reason |
6b19be33 CP |
1183 | # to read ROLE_home_t - examine this in more detail |
1184 | # (xauth?) | |
296273a7 | 1185 | userdom_read_user_home_content_files(xserver_t) |
3eaa9939 | 1186 | userdom_read_all_users_state(xserver_t) |
ed2ac112 | 1187 | userdom_home_manager(xserver_t) |
3eaa9939 DW |
1188 | |
1189 | xserver_use_user_fonts(xserver_t) | |
1190 | ||
ef55a119 | 1191 | optional_policy(` |
296273a7 | 1192 | dbus_system_bus_client(xserver_t) |
3eaa9939 DW |
1193 | |
1194 | optional_policy(` | |
1195 | hal_dbus_chat(xserver_t) | |
1196 | ') | |
ef55a119 CP |
1197 | ') |
1198 | ||
350b6ab7 | 1199 | optional_policy(` |
296273a7 CP |
1200 | rhgb_rw_shm(xserver_t) |
1201 | rhgb_rw_tmpfs_files(xserver_t) | |
350b6ab7 CP |
1202 | ') |
1203 | ||
4781493e DG |
1204 | optional_policy(` |
1205 | userhelper_search_config(xserver_t) | |
1206 | ') | |
1207 | ||
296273a7 CP |
1208 | ######################################## |
1209 | # | |
1210 | # Rules common to all X window domains | |
1211 | # | |
eac818f0 | 1212 | |
296273a7 | 1213 | # Hacks |
296273a7 CP |
1214 | # everyone can do override-redirect windows. |
1215 | # this could be used to spoof labels | |
1216 | allow x_domain self:x_drawable override; | |
f267f853 EW |
1217 | # firefox gets nosy with other people's windows |
1218 | allow x_domain x_domain:x_drawable { list_child receive }; | |
296273a7 CP |
1219 | |
1220 | # X Server | |
f267f853 EW |
1221 | # can get X server attributes |
1222 | allow x_domain xserver_t:x_server getattr; | |
1223 | # can grab the server | |
1224 | allow x_domain xserver_t:x_server grab; | |
1225 | # can read and write server-owned generic resources | |
1226 | allow x_domain xserver_t:x_resource { read write }; | |
296273a7 | 1227 | # can mess with own clients |
f267f853 | 1228 | allow x_domain self:x_client { getattr manage destroy }; |
296273a7 CP |
1229 | |
1230 | # X Protocol Extensions | |
f267f853 EW |
1231 | allow x_domain xextension_t:x_extension { query use }; |
1232 | allow x_domain security_xextension_t:x_extension { query use }; | |
296273a7 CP |
1233 | |
1234 | # X Properties | |
296273a7 | 1235 | # can change properties of root window |
f267f853 EW |
1236 | allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property }; |
1237 | # can change properties of my own windows | |
296273a7 | 1238 | allow x_domain self:x_drawable { list_property get_property set_property }; |
f267f853 EW |
1239 | # can read and write cut buffers |
1240 | allow x_domain clipboard_xproperty_t:x_property { create read write append }; | |
1241 | # can read security labels | |
1242 | allow x_domain seclabel_xproperty_t:x_property { getattr read }; | |
1243 | # can change all other properties | |
1244 | allow x_domain xproperty_t:x_property { getattr create read write append destroy }; | |
296273a7 CP |
1245 | |
1246 | # X Windows | |
1247 | # operations allowed on root windows | |
f267f853 | 1248 | allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; |
296273a7 CP |
1249 | # operations allowed on my windows |
1250 | allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; | |
a25335e1 | 1251 | allow x_domain self:x_drawable blend; |
f267f853 EW |
1252 | # operations allowed on all windows |
1253 | allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; | |
296273a7 CP |
1254 | |
1255 | # X Colormaps | |
1256 | # can use the default colormap | |
f267f853 EW |
1257 | allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall }; |
1258 | # can create and use colormaps | |
1259 | allow x_domain self:x_colormap *; | |
1260 | ||
1261 | # X Devices | |
1262 | # operations allowed on my own devices | |
1263 | allow x_domain self:{ x_device x_pointer x_keyboard } *; | |
1264 | # operations allowed on generic devices | |
1265 | allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; | |
1266 | # operations allowed on core keyboard | |
1267 | allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab }; | |
1268 | # operations allowed on core pointer | |
1269 | allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; | |
1270 | ||
1271 | # all devices can generate input events | |
1272 | allow x_domain root_xdrawable_t:x_drawable send; | |
1273 | allow x_domain x_domain:x_drawable send; | |
1274 | allow x_domain input_xevent_t:x_event send; | |
1275 | ||
1276 | # dontaudit keyloggers repeatedly polling | |
1277 | #dontaudit x_domain xserver_t:x_keyboard read; | |
296273a7 CP |
1278 | |
1279 | # X Input | |
f267f853 EW |
1280 | # can receive default events |
1281 | allow x_domain xevent_t:{ x_event x_synthetic_event } receive; | |
1282 | # can receive ICCCM events | |
1283 | allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive; | |
296273a7 | 1284 | # can send ICCCM events to the root window |
296273a7 | 1285 | allow x_domain client_xevent_t:x_synthetic_event send; |
f267f853 EW |
1286 | # can receive root window input events |
1287 | allow x_domain root_input_xevent_t:x_event receive; | |
1288 | ||
296273a7 CP |
1289 | # X Selections |
1290 | # can use the clipboard | |
1291 | allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; | |
f267f853 EW |
1292 | # can use default selections |
1293 | allow x_domain xselection_t:x_selection { getattr setattr read }; | |
296273a7 CP |
1294 | |
1295 | # Other X Objects | |
1296 | # can create and use cursors | |
1297 | allow x_domain self:x_cursor *; | |
1298 | # can create and use graphics contexts | |
1299 | allow x_domain self:x_gc *; | |
296273a7 CP |
1300 | # can read and write own objects |
1301 | allow x_domain self:x_resource { read write }; | |
f267f853 EW |
1302 | # can mess with the screensaver |
1303 | allow x_domain xserver_t:x_screen { getattr saver_getattr }; | |
1304 | ||
e2d9aa29 DG |
1305 | # Device rules |
1306 | allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; | |
1307 | allow x_domain xserver_t:x_screen getattr; | |
1308 | ||
f267f853 EW |
1309 | ######################################## |
1310 | # | |
1311 | # Rules for unconfined access to this module | |
1312 | # | |
296273a7 | 1313 | |
4781493e DG |
1314 | allow xserver_unconfined_type xserver_t:x_server *; |
1315 | allow xserver_unconfined_type xdrawable_type:x_drawable *; | |
1316 | allow xserver_unconfined_type xserver_t:x_screen *; | |
1317 | allow xserver_unconfined_type x_domain:x_gc *; | |
1318 | allow xserver_unconfined_type xcolormap_type:x_colormap *; | |
1319 | allow xserver_unconfined_type xproperty_type:x_property *; | |
1320 | allow xserver_unconfined_type xselection_type:x_selection *; | |
1321 | allow xserver_unconfined_type x_domain:x_cursor *; | |
1322 | allow xserver_unconfined_type x_domain:x_client *; | |
1323 | allow xserver_unconfined_type { x_domain xserver_t }:x_device *; | |
1324 | allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; | |
1325 | allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; | |
1326 | allow xserver_unconfined_type xextension_type:x_extension *; | |
1327 | allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; | |
1328 | allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; | |
1329 | ||
296273a7 CP |
1330 | tunable_policy(`! xserver_object_manager',` |
1331 | # should be xserver_unconfined(x_domain), | |
1332 | # but typeattribute doesnt work in conditionals | |
1333 | ||
1334 | allow x_domain xserver_t:x_server *; | |
f267f853 | 1335 | allow x_domain xdrawable_type:x_drawable *; |
296273a7 CP |
1336 | allow x_domain xserver_t:x_screen *; |
1337 | allow x_domain x_domain:x_gc *; | |
f267f853 | 1338 | allow x_domain xcolormap_type:x_colormap *; |
296273a7 CP |
1339 | allow x_domain xproperty_type:x_property *; |
1340 | allow x_domain xselection_type:x_selection *; | |
1341 | allow x_domain x_domain:x_cursor *; | |
f267f853 | 1342 | allow x_domain x_domain:x_client *; |
296273a7 | 1343 | allow x_domain { x_domain xserver_t }:x_device *; |
f267f853 EW |
1344 | allow x_domain { x_domain xserver_t }:x_pointer *; |
1345 | allow x_domain { x_domain xserver_t }:x_keyboard *; | |
296273a7 CP |
1346 | allow x_domain xextension_type:x_extension *; |
1347 | allow x_domain { x_domain xserver_t }:x_resource *; | |
1348 | allow x_domain xevent_type:{ x_event x_synthetic_event } *; | |
95501942 CP |
1349 | ') |
1350 | ||
3eaa9939 DW |
1351 | tunable_policy(`allow_xserver_execmem',` |
1352 | allow xserver_t self:process { execheap execmem execstack }; | |
1353 | ') | |
1354 | ||
1355 | # Hack to handle the problem of using the nvidia blobs | |
4a093096 | 1356 | tunable_policy(`deny_execmem',`',` |
3eaa9939 DW |
1357 | allow xdm_t self:process execmem; |
1358 | ') | |
1359 | ||
1360 | tunable_policy(`allow_execstack',` | |
1361 | allow xdm_t self:process { execstack execmem }; | |
1362 | ') | |
1363 | ||
1364 | tunable_policy(`use_nfs_home_dirs',` | |
1365 | fs_append_nfs_files(xdmhomewriter) | |
1366 | ') | |
1367 | ||
d1c6ba20 DW |
1368 | tunable_policy(`use_nfs_home_dirs',` |
1369 | fs_append_nfs_files(xdmhomewriter) | |
3eaa9939 | 1370 | ') |
4781493e DG |
1371 | |
1372 | optional_policy(` | |
1373 | unconfined_rw_shm(xserver_t) | |
4781493e DG |
1374 | |
1375 | # xserver signals unconfined user on startx | |
1376 | unconfined_signal(xserver_t) | |
1377 | unconfined_getpgid(xserver_t) | |
1378 | ') |