/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
+
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
- domtrans_pattern($2, xserver_exec_t, xserver_t)
- allow xserver_t $2:process signal;
+ allow xserver_t $2:process { getpgid signal };
allow xserver_t $2:shm rw_shm_perms;
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
+ miscfiles_setattr_fonts_cache_dirs($2)
+ miscfiles_read_hwdata($2)
xserver_common_x_domain_template(user, $2)
+ xserver_domtrans($2)
+ xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-
- fs_getattr_all_fs(xdm_t)
- fs_list_inotifyfs(xdm_t)
- fs_dontaudit_list_noxattr_fs(xdm_t)
- fs_dontaudit_read_noxattr_fs_files(xdm_t)
- fs_manage_cgroup_dirs(xdm_t)
- fs_manage_cgroup_files(xdm_t)
+ fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
+files_search_spool(xdm_t)
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
+
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
++fs_list_inotifyfs(xdm_t)
++fs_dontaudit_list_noxattr_fs(xdm_t)
++fs_dontaudit_read_noxattr_fs_files(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_manage_cgroup_files(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
')
optional_policy(`
- cpufreqselector_dbus_chat(xdm_t)
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
+ dbus_system_bus_client(xdm_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
- cpufreqselector_dbus_send(xdm_t)
++ cpufreqselector_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
')
optional_policy(`