]>
Commit | Line | Data |
---|---|---|
488ec7bd CP |
1 | ## <summary>X Windows Server</summary> |
2 | ||
296273a7 | 3 | ######################################## |
488ec7bd | 4 | ## <summary> |
296273a7 | 5 | ## Rules required for using the X Windows server |
93c49bdb | 6 | ## and environment, for restricted users. |
488ec7bd | 7 | ## </summary> |
296273a7 | 8 | ## <param name="role"> |
885b83ec | 9 | ## <summary> |
296273a7 | 10 | ## Role allowed access. |
885b83ec | 11 | ## </summary> |
488ec7bd | 12 | ## </param> |
296273a7 | 13 | ## <param name="domain"> |
885b83ec | 14 | ## <summary> |
296273a7 | 15 | ## Domain allowed access. |
885b83ec | 16 | ## </summary> |
488ec7bd CP |
17 | ## </param> |
18 | # | |
93c49bdb | 19 | interface(`xserver_restricted_role',` |
563e58e8 | 20 | gen_require(` |
296273a7 | 21 | type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; |
3eaa9939 | 22 | type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; |
296273a7 CP |
23 | type iceauth_t, iceauth_exec_t, iceauth_home_t; |
24 | type xauth_t, xauth_exec_t, xauth_home_t; | |
3eaa9939 | 25 | class dbus send_msg; |
296273a7 | 26 | ') |
acd87ca9 | 27 | |
296273a7 | 28 | role $1 types { xserver_t xauth_t iceauth_t }; |
acd87ca9 | 29 | |
93c49bdb CP |
30 | # Xserver read/write client shm |
31 | allow xserver_t $2:fd use; | |
32 | allow xserver_t $2:shm rw_shm_perms; | |
33 | ||
296273a7 | 34 | domtrans_pattern($2, xserver_exec_t, xserver_t) |
3eaa9939 | 35 | allow xserver_t $2:process { getpgid signal }; |
488ec7bd | 36 | |
296273a7 | 37 | allow xserver_t $2:shm rw_shm_perms; |
488ec7bd | 38 | |
93c49bdb CP |
39 | allow $2 user_fonts_t:dir list_dir_perms; |
40 | allow $2 user_fonts_t:file read_file_perms; | |
dfe675b8 | 41 | allow $2 user_fonts_t:lnk_file read_lnk_file_perms; |
93c49bdb CP |
42 | |
43 | allow $2 user_fonts_config_t:dir list_dir_perms; | |
44 | allow $2 user_fonts_config_t:file read_file_perms; | |
1786478c | 45 | |
296273a7 CP |
46 | manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) |
47 | manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) | |
1786478c | 48 | |
296273a7 | 49 | stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) |
3eaa9939 | 50 | allow $2 xserver_tmp_t:sock_file unlink; |
93c49bdb | 51 | files_search_tmp($2) |
488ec7bd CP |
52 | |
53 | # Communicate via System V shared memory. | |
93c49bdb CP |
54 | allow $2 xserver_t:shm r_shm_perms; |
55 | allow $2 xserver_tmpfs_t:file read_file_perms; | |
acd87ca9 | 56 | |
296273a7 CP |
57 | # allow ps to show iceauth |
58 | ps_process_pattern($2, iceauth_t) | |
acd87ca9 | 59 | |
296273a7 | 60 | domtrans_pattern($2, iceauth_exec_t, iceauth_t) |
acd87ca9 | 61 | |
93c49bdb | 62 | allow $2 iceauth_home_t:file read_file_perms; |
acd87ca9 | 63 | |
296273a7 | 64 | domtrans_pattern($2, xauth_exec_t, xauth_t) |
acd87ca9 | 65 | |
296273a7 | 66 | allow $2 xauth_t:process signal; |
acd87ca9 | 67 | |
3b311307 | 68 | # allow ps to show xauth |
3f67f722 | 69 | ps_process_pattern($2, xauth_t) |
93c49bdb | 70 | allow $2 xserver_t:process signal; |
acd87ca9 | 71 | |
93c49bdb CP |
72 | allow $2 xauth_home_t:file read_file_perms; |
73 | ||
74 | # for when /tmp/.X11-unix is created by the system | |
75 | allow $2 xdm_t:fd use; | |
59c03405 | 76 | allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; |
3eaa9939 | 77 | allow $2 xdm_tmp_t:dir search_dir_perms; |
59c03405 | 78 | allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; |
93c49bdb | 79 | dontaudit $2 xdm_t:tcp_socket { read write }; |
59c03405 | 80 | dontaudit $2 xdm_tmp_t:dir setattr_dir_perms; |
3eaa9939 DW |
81 | |
82 | allow $2 xdm_t:dbus send_msg; | |
83 | allow xdm_t $2:dbus send_msg; | |
93c49bdb CP |
84 | |
85 | # Client read xserver shm | |
86 | allow $2 xserver_t:fd use; | |
87 | allow $2 xserver_tmpfs_t:file read_file_perms; | |
88 | ||
89 | # Read /tmp/.X0-lock | |
59c03405 | 90 | allow $2 xserver_tmp_t:file read_inherited_file_perms; |
93c49bdb CP |
91 | |
92 | dev_rw_xserver_misc($2) | |
93 | dev_rw_power_management($2) | |
94 | dev_read_input($2) | |
95 | dev_read_misc($2) | |
96 | dev_write_misc($2) | |
97 | # open office is looking for the following | |
98 | dev_getattr_agp_dev($2) | |
3eaa9939 | 99 | |
93c49bdb CP |
100 | # GNOME checks for usb and other devices: |
101 | dev_rw_usbfs($2) | |
102 | ||
103 | miscfiles_read_fonts($2) | |
3eaa9939 | 104 | miscfiles_setattr_fonts_cache_dirs($2) |
acd87ca9 | 105 | |
296273a7 | 106 | xserver_common_x_domain_template(user, $2) |
93c49bdb CP |
107 | xserver_xsession_entry_type($2) |
108 | xserver_dontaudit_write_log($2) | |
109 | xserver_stream_connect_xdm($2) | |
110 | # certain apps want to read xdm.pid file | |
111 | xserver_read_xdm_pid($2) | |
112 | # gnome-session creates socket under /tmp/.ICE-unix/ | |
113 | xserver_create_xdm_tmp_sockets($2) | |
114 | # Needed for escd, remove if we get escd policy | |
115 | xserver_manage_xdm_tmp_files($2) | |
116 | ||
2d102f84 | 117 | ifdef(`hide_broken_symptoms',` |
60d27bf8 DG |
118 | dontaudit iceauth_t $2:socket_class_set { read write }; |
119 | ') | |
120 | ||
93c49bdb CP |
121 | # Client write xserver shm |
122 | tunable_policy(`allow_write_xshm',` | |
123 | allow $2 xserver_t:shm rw_shm_perms; | |
124 | allow $2 xserver_tmpfs_t:file rw_file_perms; | |
125 | ') | |
60d27bf8 DG |
126 | |
127 | tunable_policy(`user_direct_dri',` | |
128 | dev_rw_dri($2) | |
129 | ') | |
488ec7bd CP |
130 | ') |
131 | ||
93c49bdb CP |
132 | ######################################## |
133 | ## <summary> | |
134 | ## Rules required for using the X Windows server | |
135 | ## and environment. | |
136 | ## </summary> | |
137 | ## <param name="role"> | |
138 | ## <summary> | |
139 | ## Role allowed access. | |
140 | ## </summary> | |
141 | ## </param> | |
142 | ## <param name="domain"> | |
143 | ## <summary> | |
144 | ## Domain allowed access. | |
145 | ## </summary> | |
146 | ## </param> | |
147 | # | |
148 | interface(`xserver_role',` | |
149 | gen_require(` | |
150 | type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; | |
151 | type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; | |
152 | ') | |
153 | ||
154 | xserver_restricted_role($1, $2) | |
155 | ||
156 | # Communicate via System V shared memory. | |
157 | allow $2 xserver_t:shm rw_shm_perms; | |
158 | allow $2 xserver_tmpfs_t:file rw_file_perms; | |
159 | ||
160 | allow $2 iceauth_home_t:file manage_file_perms; | |
a3d20a3c | 161 | allow $2 iceauth_home_t:file relabel_file_perms; |
93c49bdb CP |
162 | |
163 | allow $2 xauth_home_t:file manage_file_perms; | |
a3d20a3c | 164 | allow $2 xauth_home_t:file relabel_file_perms; |
93c49bdb | 165 | |
3eaa9939 | 166 | mls_xwin_read_to_clearance($2) |
93c49bdb CP |
167 | manage_dirs_pattern($2, user_fonts_t, user_fonts_t) |
168 | manage_files_pattern($2, user_fonts_t, user_fonts_t) | |
dfe675b8 | 169 | allow $2 user_fonts_t:lnk_file read_lnk_file_perms; |
93c49bdb CP |
170 | relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) |
171 | relabel_files_pattern($2, user_fonts_t, user_fonts_t) | |
172 | ||
173 | manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) | |
174 | manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) | |
175 | relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) | |
176 | relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) | |
177 | ||
178 | manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) | |
179 | manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) | |
180 | relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) | |
181 | relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) | |
93c49bdb CP |
182 | ') |
183 | ||
24a63797 CP |
184 | ####################################### |
185 | ## <summary> | |
296273a7 | 186 | ## Create sessions on the X server, with read-only |
24a63797 CP |
187 | ## access to the X server shared |
188 | ## memory segments. | |
189 | ## </summary> | |
24a63797 CP |
190 | ## <param name="domain"> |
191 | ## <summary> | |
192 | ## Domain allowed access. | |
193 | ## </summary> | |
194 | ## </param> | |
195 | ## <param name="tmpfs_type"> | |
196 | ## <summary> | |
197 | ## The type of the domain SYSV tmpfs files. | |
198 | ## </summary> | |
199 | ## </param> | |
200 | # | |
296273a7 | 201 | interface(`xserver_ro_session',` |
24a63797 | 202 | gen_require(` |
296273a7 | 203 | type xserver_t, xserver_tmp_t, xserver_tmpfs_t; |
24a63797 CP |
204 | ') |
205 | ||
206 | # Xserver read/write client shm | |
296273a7 CP |
207 | allow xserver_t $1:fd use; |
208 | allow xserver_t $1:shm rw_shm_perms; | |
209 | allow xserver_t $2:file rw_file_perms; | |
24a63797 CP |
210 | |
211 | # Connect to xserver | |
296273a7 CP |
212 | allow $1 xserver_t:unix_stream_socket connectto; |
213 | allow $1 xserver_t:process signal; | |
24a63797 CP |
214 | |
215 | # Read /tmp/.X0-lock | |
3eaa9939 | 216 | allow $1 xserver_tmp_t:file read_file_perms; |
24a63797 CP |
217 | |
218 | # Client read xserver shm | |
296273a7 CP |
219 | allow $1 xserver_t:fd use; |
220 | allow $1 xserver_t:shm r_shm_perms; | |
221 | allow $1 xserver_tmpfs_t:file read_file_perms; | |
24a63797 CP |
222 | ') |
223 | ||
224 | ####################################### | |
225 | ## <summary> | |
296273a7 | 226 | ## Create sessions on the X server, with read and write |
24a63797 CP |
227 | ## access to the X server shared |
228 | ## memory segments. | |
229 | ## </summary> | |
24a63797 CP |
230 | ## <param name="domain"> |
231 | ## <summary> | |
232 | ## Domain allowed access. | |
233 | ## </summary> | |
234 | ## </param> | |
235 | ## <param name="tmpfs_type"> | |
236 | ## <summary> | |
237 | ## The type of the domain SYSV tmpfs files. | |
238 | ## </summary> | |
239 | ## </param> | |
240 | # | |
296273a7 | 241 | interface(`xserver_rw_session',` |
24a63797 | 242 | gen_require(` |
296273a7 | 243 | type xserver_t, xserver_tmpfs_t; |
24a63797 CP |
244 | ') |
245 | ||
296273a7 CP |
246 | xserver_ro_session($1,$2) |
247 | allow $1 xserver_t:shm rw_shm_perms; | |
248 | allow $1 xserver_tmpfs_t:file rw_file_perms; | |
24a63797 CP |
249 | ') |
250 | ||
6246e7d3 CP |
251 | ####################################### |
252 | ## <summary> | |
253 | ## Create non-drawing client sessions on an X server. | |
254 | ## </summary> | |
255 | ## <param name="domain"> | |
256 | ## <summary> | |
257 | ## Domain allowed access. | |
258 | ## </summary> | |
259 | ## </param> | |
260 | # | |
261 | interface(`xserver_non_drawing_client',` | |
262 | gen_require(` | |
263 | class x_drawable { getattr get_property }; | |
264 | class x_extension { query use }; | |
265 | class x_gc { create setattr }; | |
266 | class x_property read; | |
267 | ||
268 | type xserver_t, xdm_var_run_t; | |
269 | type xextension_t, xproperty_t, root_xdrawable_t; | |
270 | ') | |
271 | ||
272 | allow $1 self:x_gc { create setattr }; | |
273 | ||
274 | allow $1 xdm_var_run_t:dir search; | |
275 | allow $1 xserver_t:unix_stream_socket connectto; | |
276 | ||
277 | allow $1 xextension_t:x_extension { query use }; | |
278 | allow $1 root_xdrawable_t:x_drawable { getattr get_property }; | |
279 | allow $1 xproperty_t:x_property read; | |
280 | ') | |
281 | ||
24a63797 CP |
282 | ####################################### |
283 | ## <summary> | |
296273a7 | 284 | ## Create full client sessions |
24a63797 CP |
285 | ## on a user X server. |
286 | ## </summary> | |
24a63797 CP |
287 | ## <param name="domain"> |
288 | ## <summary> | |
289 | ## Domain allowed access. | |
290 | ## </summary> | |
291 | ## </param> | |
292 | ## <param name="tmpfs_type"> | |
293 | ## <summary> | |
294 | ## The type of the domain SYSV tmpfs files. | |
295 | ## </summary> | |
296 | ## </param> | |
297 | # | |
296273a7 | 298 | interface(`xserver_user_client',` |
4279891d | 299 | refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') |
24a63797 CP |
300 | gen_require(` |
301 | type xdm_t, xdm_tmp_t; | |
296273a7 | 302 | type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; |
24a63797 CP |
303 | ') |
304 | ||
296273a7 CP |
305 | allow $1 self:shm create_shm_perms; |
306 | allow $1 self:unix_dgram_socket create_socket_perms; | |
307 | allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; | |
24a63797 CP |
308 | |
309 | # Read .Xauthority file | |
3eaa9939 DW |
310 | allow $1 xauth_home_t:file read_file_perms; |
311 | allow $1 iceauth_home_t:file read_file_perms; | |
24a63797 CP |
312 | |
313 | # for when /tmp/.X11-unix is created by the system | |
296273a7 | 314 | allow $1 xdm_t:fd use; |
3eaa9939 | 315 | allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; |
296273a7 CP |
316 | allow $1 xdm_tmp_t:dir search; |
317 | allow $1 xdm_tmp_t:sock_file { read write }; | |
318 | dontaudit $1 xdm_t:tcp_socket { read write }; | |
24a63797 CP |
319 | |
320 | # Allow connections to X server. | |
296273a7 | 321 | files_search_tmp($1) |
24a63797 | 322 | |
296273a7 | 323 | miscfiles_read_fonts($1) |
24a63797 | 324 | |
296273a7 | 325 | userdom_search_user_home_dirs($1) |
24a63797 | 326 | # for .xsession-errors |
296273a7 | 327 | userdom_dontaudit_write_user_home_content_files($1) |
24a63797 | 328 | |
296273a7 CP |
329 | xserver_ro_session($1,$2) |
330 | xserver_use_user_fonts($1) | |
24a63797 | 331 | |
296273a7 | 332 | xserver_read_xdm_tmp_files($1) |
6b19be33 | 333 | |
24a63797 CP |
334 | # Client write xserver shm |
335 | tunable_policy(`allow_write_xshm',` | |
296273a7 CP |
336 | allow $1 xserver_t:shm rw_shm_perms; |
337 | allow $1 xserver_tmpfs_t:file rw_file_perms; | |
24a63797 | 338 | ') |
1786478c | 339 | ') |
24a63797 | 340 | |
2c12b471 CP |
341 | ####################################### |
342 | ## <summary> | |
343 | ## Interface to provide X object permissions on a given X server to | |
344 | ## an X client domain. Provides the minimal set required by a basic | |
345 | ## X client application. | |
346 | ## </summary> | |
2c12b471 CP |
347 | ## <param name="prefix"> |
348 | ## <summary> | |
349 | ## The prefix of the X client domain (e.g., user | |
350 | ## is the prefix for user_t). | |
351 | ## </summary> | |
352 | ## </param> | |
353 | ## <param name="domain"> | |
354 | ## <summary> | |
355 | ## Client domain allowed access. | |
356 | ## </summary> | |
357 | ## </param> | |
358 | # | |
359 | template(`xserver_common_x_domain_template',` | |
360 | gen_require(` | |
5242ecce EW |
361 | type root_xdrawable_t; |
362 | type xproperty_t, $1_xproperty_t; | |
2c12b471 | 363 | type xevent_t, client_xevent_t; |
5242ecce | 364 | type input_xevent_t, $1_input_xevent_t; |
2c12b471 | 365 | |
2f94f460 | 366 | attribute x_domain, input_xevent_type; |
5242ecce | 367 | attribute xdrawable_type, xcolormap_type; |
2c12b471 CP |
368 | |
369 | class x_drawable all_x_drawable_perms; | |
2c12b471 | 370 | class x_property all_x_property_perms; |
2c12b471 CP |
371 | class x_event all_x_event_perms; |
372 | class x_synthetic_event all_x_synthetic_event_perms; | |
3eaa9939 DW |
373 | class x_client destroy; |
374 | class x_server manage; | |
375 | class x_screen { saver_setattr saver_hide saver_show }; | |
376 | class x_pointer { get_property set_property manage }; | |
377 | class x_keyboard { read manage }; | |
378 | type xdm_t, xserver_t; | |
2c12b471 CP |
379 | ') |
380 | ||
381 | ############################## | |
382 | # | |
296273a7 | 383 | # Local Policy |
2c12b471 CP |
384 | # |
385 | ||
386 | # Type attributes | |
296273a7 | 387 | typeattribute $2 x_domain; |
5242ecce | 388 | typeattribute $2 xdrawable_type, xcolormap_type; |
2c12b471 | 389 | |
296273a7 | 390 | # X Properties |
5242ecce EW |
391 | # disable property transitions for the time being. |
392 | # type_transition $2 xproperty_t:x_property $1_xproperty_t; | |
2c12b471 | 393 | |
296273a7 CP |
394 | # X Windows |
395 | # new windows have the domain type | |
5242ecce | 396 | type_transition $2 root_xdrawable_t:x_drawable $2; |
296273a7 CP |
397 | |
398 | # X Input | |
5242ecce EW |
399 | # distinguish input events |
400 | type_transition $2 input_xevent_t:x_event $1_input_xevent_t; | |
401 | # can send own events | |
402 | allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; | |
296273a7 CP |
403 | # can receive own events |
404 | allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; | |
5242ecce EW |
405 | # can receive default events |
406 | allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; | |
407 | allow $2 xevent_t:{ x_event x_synthetic_event } receive; | |
408 | # dont audit send failures | |
409 | dontaudit $2 input_xevent_type:x_event send; | |
3eaa9939 DW |
410 | |
411 | allow $2 xdm_t:x_drawable { hide read add_child manage }; | |
412 | allow $2 xdm_t:x_client destroy; | |
413 | ||
414 | allow $2 root_xdrawable_t:x_drawable write; | |
415 | allow $2 xserver_t:x_server manage; | |
416 | allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show }; | |
417 | allow $2 xserver_t:x_pointer { get_property set_property manage }; | |
418 | allow $2 xserver_t:x_keyboard { read manage }; | |
296273a7 CP |
419 | ') |
420 | ||
421 | ####################################### | |
422 | ## <summary> | |
423 | ## Template for creating the set of types used | |
424 | ## in an X windows domain. | |
425 | ## </summary> | |
426 | ## <param name="prefix"> | |
427 | ## <summary> | |
428 | ## The prefix of the X client domain (e.g., user | |
429 | ## is the prefix for user_t). | |
430 | ## </summary> | |
431 | ## </param> | |
432 | # | |
433 | template(`xserver_object_types_template',` | |
434 | gen_require(` | |
435 | attribute xproperty_type, input_xevent_type, xevent_type; | |
436 | ') | |
2c12b471 CP |
437 | |
438 | ############################## | |
439 | # | |
296273a7 | 440 | # Declarations |
2c12b471 CP |
441 | # |
442 | ||
296273a7 | 443 | # Types for properties |
5242ecce | 444 | type $1_xproperty_t, xproperty_type; |
296273a7 | 445 | ubac_constrained($1_xproperty_t) |
2c12b471 | 446 | |
296273a7 CP |
447 | # Types for events |
448 | type $1_input_xevent_t, input_xevent_type, xevent_type; | |
449 | ubac_constrained($1_input_xevent_t) | |
2c12b471 CP |
450 | ') |
451 | ||
452 | ####################################### | |
453 | ## <summary> | |
454 | ## Interface to provide X object permissions on a given X server to | |
455 | ## an X client domain. Provides the minimal set required by a basic | |
456 | ## X client application. | |
457 | ## </summary> | |
2c12b471 CP |
458 | ## <param name="prefix"> |
459 | ## <summary> | |
460 | ## The prefix of the X client domain (e.g., user | |
461 | ## is the prefix for user_t). | |
462 | ## </summary> | |
463 | ## </param> | |
464 | ## <param name="domain"> | |
465 | ## <summary> | |
466 | ## Client domain allowed access. | |
467 | ## </summary> | |
468 | ## </param> | |
469 | ## <param name="tmpfs_type"> | |
470 | ## <summary> | |
471 | ## The type of the domain SYSV tmpfs files. | |
472 | ## </summary> | |
473 | ## </param> | |
474 | # | |
475 | template(`xserver_user_x_domain_template',` | |
476 | gen_require(` | |
477 | type xdm_t, xdm_tmp_t; | |
296273a7 | 478 | type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; |
2c12b471 CP |
479 | ') |
480 | ||
296273a7 CP |
481 | allow $2 self:shm create_shm_perms; |
482 | allow $2 self:unix_dgram_socket create_socket_perms; | |
483 | allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; | |
2c12b471 CP |
484 | |
485 | # Read .Xauthority file | |
296273a7 CP |
486 | allow $2 xauth_home_t:file read_file_perms; |
487 | allow $2 iceauth_home_t:file read_file_perms; | |
2c12b471 CP |
488 | |
489 | # for when /tmp/.X11-unix is created by the system | |
296273a7 | 490 | allow $2 xdm_t:fd use; |
59c03405 | 491 | allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; |
296273a7 | 492 | allow $2 xdm_tmp_t:dir search_dir_perms; |
59c03405 | 493 | allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; |
296273a7 | 494 | dontaudit $2 xdm_t:tcp_socket { read write }; |
2c12b471 CP |
495 | |
496 | # Allow connections to X server. | |
296273a7 | 497 | files_search_tmp($2) |
2c12b471 | 498 | |
296273a7 | 499 | miscfiles_read_fonts($2) |
2c12b471 | 500 | |
296273a7 | 501 | userdom_search_user_home_dirs($2) |
2c12b471 | 502 | # for .xsession-errors |
296273a7 | 503 | userdom_dontaudit_write_user_home_content_files($2) |
2c12b471 | 504 | |
2d102f84 | 505 | xserver_ro_session($2, $3) |
296273a7 | 506 | xserver_use_user_fonts($2) |
2c12b471 | 507 | |
296273a7 | 508 | xserver_read_xdm_tmp_files($2) |
3eaa9939 | 509 | xserver_read_xdm_pid($2) |
2c12b471 CP |
510 | |
511 | # X object manager | |
296273a7 | 512 | xserver_object_types_template($1) |
2d102f84 | 513 | xserver_common_x_domain_template($1, $2) |
2c12b471 CP |
514 | |
515 | # Client write xserver shm | |
516 | tunable_policy(`allow_write_xshm',` | |
296273a7 CP |
517 | allow $2 xserver_t:shm rw_shm_perms; |
518 | allow $2 xserver_tmpfs_t:file rw_file_perms; | |
2c12b471 | 519 | ') |
60d27bf8 DG |
520 | |
521 | tunable_policy(`user_direct_dri',` | |
522 | dev_rw_dri($2) | |
523 | ') | |
2c12b471 CP |
524 | ') |
525 | ||
1786478c CP |
526 | ######################################## |
527 | ## <summary> | |
528 | ## Read user fonts, user font configuration, | |
529 | ## and manage the user font cache. | |
530 | ## </summary> | |
531 | ## <desc> | |
532 | ## <p> | |
533 | ## Read user fonts, user font configuration, | |
534 | ## and manage the user font cache. | |
535 | ## </p> | |
536 | ## <p> | |
537 | ## This is a templated interface, and should only | |
538 | ## be called from a per-userdomain template. | |
539 | ## </p> | |
540 | ## </desc> | |
1786478c CP |
541 | ## <param name="domain"> |
542 | ## <summary> | |
543 | ## Domain allowed access. | |
544 | ## </summary> | |
545 | ## </param> | |
546 | # | |
296273a7 | 547 | interface(`xserver_use_user_fonts',` |
1786478c | 548 | gen_require(` |
296273a7 | 549 | type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; |
1786478c CP |
550 | ') |
551 | ||
552 | # Read per user fonts | |
296273a7 CP |
553 | allow $1 user_fonts_t:dir list_dir_perms; |
554 | allow $1 user_fonts_t:file read_file_perms; | |
dfe675b8 | 555 | allow $1 user_fonts_t:lnk_file read_lnk_file_perms; |
1786478c CP |
556 | |
557 | # Manipulate the global font cache | |
296273a7 CP |
558 | manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) |
559 | manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) | |
1786478c CP |
560 | |
561 | # Read per user font config | |
296273a7 CP |
562 | allow $1 user_fonts_config_t:dir list_dir_perms; |
563 | allow $1 user_fonts_config_t:file read_file_perms; | |
1786478c | 564 | |
296273a7 | 565 | userdom_search_user_home_dirs($1) |
24a63797 CP |
566 | ') |
567 | ||
0f5d13fe | 568 | ######################################## |
488ec7bd | 569 | ## <summary> |
296273a7 | 570 | ## Transition to the Xauthority domain. |
488ec7bd | 571 | ## </summary> |
0f5d13fe | 572 | ## <param name="domain"> |
885b83ec | 573 | ## <summary> |
288845a6 | 574 | ## Domain allowed to transition. |
885b83ec | 575 | ## </summary> |
488ec7bd CP |
576 | ## </param> |
577 | # | |
296273a7 | 578 | interface(`xserver_domtrans_xauth',` |
0f5d13fe | 579 | gen_require(` |
296273a7 | 580 | type xauth_t, xauth_exec_t; |
0f5d13fe | 581 | ') |
488ec7bd | 582 | |
296273a7 | 583 | domtrans_pattern($1, xauth_exec_t, xauth_t) |
60d27bf8 | 584 | |
2d102f84 | 585 | ifdef(`hide_broken_symptoms',` |
f79af266 DW |
586 | dontaudit xauth_t $1:socket_class_set { read write }; |
587 | ') | |
3eaa9939 DW |
588 | ') |
589 | ||
590 | ######################################## | |
591 | ## <summary> | |
592 | ## Dontaudit exec of Xauthority program. | |
593 | ## </summary> | |
594 | ## <param name="domain"> | |
595 | ## <summary> | |
596 | ## Domain allowed access. | |
597 | ## </summary> | |
598 | ## </param> | |
599 | # | |
600 | interface(`xserver_dontaudit_exec_xauth',` | |
601 | gen_require(` | |
602 | type xauth_exec_t; | |
603 | ') | |
604 | ||
605 | dontaudit $1 xauth_exec_t:file execute; | |
0f5d13fe | 606 | ') |
488ec7bd | 607 | |
6b19be33 CP |
608 | ######################################## |
609 | ## <summary> | |
296273a7 | 610 | ## Create a Xauthority file in the user home directory. |
6b19be33 | 611 | ## </summary> |
6b19be33 CP |
612 | ## <param name="domain"> |
613 | ## <summary> | |
614 | ## Domain allowed access. | |
615 | ## </summary> | |
616 | ## </param> | |
617 | # | |
296273a7 | 618 | interface(`xserver_user_home_dir_filetrans_user_xauth',` |
6b19be33 | 619 | gen_require(` |
296273a7 | 620 | type xauth_home_t; |
6b19be33 CP |
621 | ') |
622 | ||
296273a7 | 623 | userdom_user_home_dir_filetrans($1, xauth_home_t, file) |
6b19be33 CP |
624 | ') |
625 | ||
1786478c CP |
626 | ######################################## |
627 | ## <summary> | |
628 | ## Read all users fonts, user font configurations, | |
629 | ## and manage all users font caches. | |
630 | ## </summary> | |
631 | ## <param name="domain"> | |
632 | ## <summary> | |
633 | ## Domain allowed access. | |
634 | ## </summary> | |
635 | ## </param> | |
636 | # | |
637 | interface(`xserver_use_all_users_fonts',` | |
296273a7 CP |
638 | refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') |
639 | xserver_use_user_fonts($1) | |
1786478c CP |
640 | ') |
641 | ||
4967aaa3 CP |
642 | ######################################## |
643 | ## <summary> | |
644 | ## Read all users .Xauthority. | |
645 | ## </summary> | |
646 | ## <param name="domain"> | |
647 | ## <summary> | |
648 | ## Domain allowed access. | |
649 | ## </summary> | |
650 | ## </param> | |
651 | # | |
296273a7 | 652 | interface(`xserver_read_user_xauth',` |
4967aaa3 | 653 | gen_require(` |
296273a7 | 654 | type xauth_home_t; |
4967aaa3 CP |
655 | ') |
656 | ||
296273a7 CP |
657 | allow $1 xauth_home_t:file read_file_perms; |
658 | userdom_search_user_home_dirs($1) | |
3eaa9939 | 659 | xserver_read_xdm_pid($1) |
4967aaa3 CP |
660 | ') |
661 | ||
413982c6 CP |
662 | ######################################## |
663 | ## <summary> | |
664 | ## Set the attributes of the X windows console named pipes. | |
665 | ## </summary> | |
666 | ## <param name="domain"> | |
667 | ## <summary> | |
668 | ## Domain allowed access. | |
669 | ## </summary> | |
670 | ## </param> | |
671 | # | |
672 | interface(`xserver_setattr_console_pipes',` | |
673 | gen_require(` | |
674 | type xconsole_device_t; | |
675 | ') | |
676 | ||
59c03405 | 677 | allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; |
413982c6 CP |
678 | ') |
679 | ||
680 | ######################################## | |
681 | ## <summary> | |
682 | ## Read and write the X windows console named pipe. | |
683 | ## </summary> | |
684 | ## <param name="domain"> | |
685 | ## <summary> | |
686 | ## Domain allowed access. | |
687 | ## </summary> | |
688 | ## </param> | |
689 | # | |
690 | interface(`xserver_rw_console',` | |
691 | gen_require(` | |
692 | type xconsole_device_t; | |
693 | ') | |
694 | ||
5f63dd12 | 695 | allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; |
413982c6 CP |
696 | ') |
697 | ||
165b42d2 CP |
698 | ######################################## |
699 | ## <summary> | |
700 | ## Use file descriptors for xdm. | |
701 | ## </summary> | |
702 | ## <param name="domain"> | |
703 | ## <summary> | |
704 | ## Domain allowed access. | |
705 | ## </summary> | |
706 | ## </param> | |
707 | # | |
708 | interface(`xserver_use_xdm_fds',` | |
709 | gen_require(` | |
710 | type xdm_t; | |
711 | ') | |
712 | ||
2d102f84 | 713 | allow $1 xdm_t:fd use; |
165b42d2 CP |
714 | ') |
715 | ||
d6d16b97 CP |
716 | ######################################## |
717 | ## <summary> | |
718 | ## Do not audit attempts to inherit | |
719 | ## XDM file descriptors. | |
720 | ## </summary> | |
721 | ## <param name="domain"> | |
722 | ## <summary> | |
723 | ## Domain to not audit. | |
724 | ## </summary> | |
725 | ## </param> | |
726 | # | |
727 | interface(`xserver_dontaudit_use_xdm_fds',` | |
728 | gen_require(` | |
729 | type xdm_t; | |
730 | ') | |
731 | ||
2d102f84 | 732 | dontaudit $1 xdm_t:fd use; |
d6d16b97 CP |
733 | ') |
734 | ||
165b42d2 CP |
735 | ######################################## |
736 | ## <summary> | |
737 | ## Read and write XDM unnamed pipes. | |
738 | ## </summary> | |
739 | ## <param name="domain"> | |
740 | ## <summary> | |
d6d16b97 | 741 | ## Domain allowed access. |
165b42d2 CP |
742 | ## </summary> |
743 | ## </param> | |
744 | # | |
745 | interface(`xserver_rw_xdm_pipes',` | |
746 | gen_require(` | |
747 | type xdm_t; | |
748 | ') | |
749 | ||
59c03405 | 750 | allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; |
165b42d2 CP |
751 | ') |
752 | ||
d6d16b97 CP |
753 | ######################################## |
754 | ## <summary> | |
755 | ## Do not audit attempts to read and write | |
756 | ## XDM unnamed pipes. | |
757 | ## </summary> | |
758 | ## <param name="domain"> | |
759 | ## <summary> | |
760 | ## Domain to not audit. | |
761 | ## </summary> | |
762 | ## </param> | |
763 | # | |
764 | interface(`xserver_dontaudit_rw_xdm_pipes',` | |
d6d16b97 CP |
765 | gen_require(` |
766 | type xdm_t; | |
767 | ') | |
768 | ||
2d102f84 | 769 | dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; |
d6d16b97 CP |
770 | ') |
771 | ||
0f5d13fe CP |
772 | ######################################## |
773 | ## <summary> | |
774 | ## Connect to XDM over a unix domain | |
775 | ## stream socket. | |
776 | ## </summary> | |
777 | ## <param name="domain"> | |
885b83ec | 778 | ## <summary> |
0f5d13fe | 779 | ## Domain allowed access. |
885b83ec | 780 | ## </summary> |
0f5d13fe CP |
781 | ## </param> |
782 | # | |
783 | interface(`xserver_stream_connect_xdm',` | |
784 | gen_require(` | |
2f94f460 | 785 | type xdm_t, xdm_tmp_t, xdm_var_run_t; |
0f5d13fe | 786 | ') |
488ec7bd | 787 | |
eac818f0 | 788 | files_search_tmp($1) |
f9266211 | 789 | files_search_pids($1) |
0bfccda4 | 790 | stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) |
3eaa9939 | 791 | stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) |
0f5d13fe | 792 | ') |
488ec7bd | 793 | |
5a975c1e CP |
794 | ######################################## |
795 | ## <summary> | |
796 | ## Read xdm-writable configuration files. | |
797 | ## </summary> | |
798 | ## <param name="domain"> | |
885b83ec | 799 | ## <summary> |
5a975c1e | 800 | ## Domain allowed access. |
885b83ec | 801 | ## </summary> |
5a975c1e CP |
802 | ## </param> |
803 | # | |
804 | interface(`xserver_read_xdm_rw_config',` | |
805 | gen_require(` | |
806 | type xdm_rw_etc_t; | |
807 | ') | |
808 | ||
809 | files_search_etc($1) | |
82d2775c | 810 | allow $1 xdm_rw_etc_t:file read_file_perms; |
5a975c1e CP |
811 | ') |
812 | ||
813 | ######################################## | |
814 | ## <summary> | |
815 | ## Set the attributes of XDM temporary directories. | |
816 | ## </summary> | |
817 | ## <param name="domain"> | |
885b83ec | 818 | ## <summary> |
5a975c1e | 819 | ## Domain allowed access. |
885b83ec | 820 | ## </summary> |
5a975c1e CP |
821 | ## </param> |
822 | # | |
823 | interface(`xserver_setattr_xdm_tmp_dirs',` | |
824 | gen_require(` | |
825 | type xdm_tmp_t; | |
826 | ') | |
827 | ||
59c03405 | 828 | allow $1 xdm_tmp_t:dir setattr_dir_perms; |
5a975c1e CP |
829 | ') |
830 | ||
0f5d13fe CP |
831 | ######################################## |
832 | ## <summary> | |
833 | ## Create a named socket in a XDM | |
834 | ## temporary directory. | |
835 | ## </summary> | |
836 | ## <param name="domain"> | |
885b83ec | 837 | ## <summary> |
0f5d13fe | 838 | ## Domain allowed access. |
885b83ec | 839 | ## </summary> |
0f5d13fe CP |
840 | ## </param> |
841 | # | |
1815bad1 | 842 | interface(`xserver_create_xdm_tmp_sockets',` |
0f5d13fe CP |
843 | gen_require(` |
844 | type xdm_tmp_t; | |
845 | ') | |
488ec7bd | 846 | |
0f5d13fe | 847 | files_search_tmp($1) |
c0868a7a | 848 | allow $1 xdm_tmp_t:dir list_dir_perms; |
0bfccda4 | 849 | create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) |
0f5d13fe | 850 | ') |
07620c08 | 851 | |
0f5d13fe CP |
852 | ######################################## |
853 | ## <summary> | |
854 | ## Read XDM pid files. | |
855 | ## </summary> | |
856 | ## <param name="domain"> | |
885b83ec | 857 | ## <summary> |
0f5d13fe | 858 | ## Domain allowed access. |
885b83ec | 859 | ## </summary> |
0f5d13fe CP |
860 | ## </param> |
861 | # | |
862 | interface(`xserver_read_xdm_pid',` | |
863 | gen_require(` | |
864 | type xdm_var_run_t; | |
865 | ') | |
488ec7bd | 866 | |
0f5d13fe | 867 | files_search_pids($1) |
3eaa9939 | 868 | read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) |
0f5d13fe | 869 | ') |
488ec7bd | 870 | |
fbc0a272 CP |
871 | ######################################## |
872 | ## <summary> | |
ff8f0a63 | 873 | ## Read XDM var lib files. |
fbc0a272 CP |
874 | ## </summary> |
875 | ## <param name="domain"> | |
ff8f0a63 CP |
876 | ## <summary> |
877 | ## Domain allowed access. | |
878 | ## </summary> | |
fbc0a272 CP |
879 | ## </param> |
880 | # | |
881 | interface(`xserver_read_xdm_lib_files',` | |
882 | gen_require(` | |
883 | type xdm_var_lib_t; | |
884 | ') | |
885 | ||
82d2775c | 886 | allow $1 xdm_var_lib_t:file read_file_perms; |
fbc0a272 CP |
887 | ') |
888 | ||
0f5d13fe CP |
889 | ######################################## |
890 | ## <summary> | |
891 | ## Make an X session script an entrypoint for the specified domain. | |
892 | ## </summary> | |
893 | ## <param name="domain"> | |
885b83ec | 894 | ## <summary> |
0f5d13fe | 895 | ## The domain for which the shell is an entrypoint. |
885b83ec | 896 | ## </summary> |
0f5d13fe CP |
897 | ## </param> |
898 | # | |
899 | interface(`xserver_xsession_entry_type',` | |
900 | gen_require(` | |
901 | type xsession_exec_t; | |
902 | ') | |
488ec7bd | 903 | |
0bfccda4 | 904 | domain_entry_file($1, xsession_exec_t) |
488ec7bd | 905 | ') |
3b311307 CP |
906 | |
907 | ######################################## | |
908 | ## <summary> | |
0f5d13fe CP |
909 | ## Execute an X session in the target domain. This |
910 | ## is an explicit transition, requiring the | |
911 | ## caller to use setexeccon(). | |
3b311307 CP |
912 | ## </summary> |
913 | ## <desc> | |
914 | ## <p> | |
0f5d13fe CP |
915 | ## Execute an Xsession in the target domain. This |
916 | ## is an explicit transition, requiring the | |
917 | ## caller to use setexeccon(). | |
3b311307 CP |
918 | ## </p> |
919 | ## <p> | |
0f5d13fe CP |
920 | ## No interprocess communication (signals, pipes, |
921 | ## etc.) is provided by this interface since | |
922 | ## the domains are not owned by this module. | |
3b311307 CP |
923 | ## </p> |
924 | ## </desc> | |
3b311307 | 925 | ## <param name="domain"> |
885b83ec | 926 | ## <summary> |
288845a6 | 927 | ## Domain allowed to transition. |
885b83ec | 928 | ## </summary> |
3b311307 | 929 | ## </param> |
0f5d13fe | 930 | ## <param name="target_domain"> |
885b83ec | 931 | ## <summary> |
0f5d13fe | 932 | ## The type of the shell process. |
885b83ec | 933 | ## </summary> |
0f5d13fe | 934 | ## </param> |
3b311307 | 935 | # |
0f5d13fe | 936 | interface(`xserver_xsession_spec_domtrans',` |
3b311307 | 937 | gen_require(` |
0f5d13fe | 938 | type xsession_exec_t; |
3b311307 CP |
939 | ') |
940 | ||
0bfccda4 | 941 | domain_trans($1, xsession_exec_t, $2) |
3b311307 CP |
942 | ') |
943 | ||
3b914745 CP |
944 | ######################################## |
945 | ## <summary> | |
946 | ## Get the attributes of X server logs. | |
947 | ## </summary> | |
948 | ## <param name="domain"> | |
949 | ## <summary> | |
950 | ## Domain allowed access. | |
951 | ## </summary> | |
952 | ## </param> | |
953 | # | |
954 | interface(`xserver_getattr_log',` | |
955 | gen_require(` | |
956 | type xserver_log_t; | |
957 | ') | |
958 | ||
959 | logging_search_logs($1) | |
59c03405 | 960 | allow $1 xserver_log_t:file getattr_file_perms; |
3b914745 CP |
961 | ') |
962 | ||
3b311307 CP |
963 | ######################################## |
964 | ## <summary> | |
0f5d13fe CP |
965 | ## Do not audit attempts to write the X server |
966 | ## log files. | |
3b311307 CP |
967 | ## </summary> |
968 | ## <param name="domain"> | |
885b83ec | 969 | ## <summary> |
a7ee7f81 | 970 | ## Domain to not audit. |
885b83ec | 971 | ## </summary> |
3b311307 CP |
972 | ## </param> |
973 | # | |
0f5d13fe | 974 | interface(`xserver_dontaudit_write_log',` |
3b311307 | 975 | gen_require(` |
0f5d13fe | 976 | type xserver_log_t; |
3b311307 CP |
977 | ') |
978 | ||
3eaa9939 | 979 | dontaudit $1 xserver_log_t:file rw_inherited_file_perms; |
3b311307 | 980 | ') |
5a975c1e CP |
981 | |
982 | ######################################## | |
983 | ## <summary> | |
a7ee7f81 | 984 | ## Delete X server log files. |
5a975c1e CP |
985 | ## </summary> |
986 | ## <param name="domain"> | |
885b83ec | 987 | ## <summary> |
a7ee7f81 | 988 | ## Domain allowed access. |
885b83ec | 989 | ## </summary> |
5a975c1e CP |
990 | ## </param> |
991 | # | |
992 | interface(`xserver_delete_log',` | |
993 | gen_require(` | |
994 | type xserver_log_t; | |
995 | ') | |
996 | ||
997 | logging_search_logs($1) | |
c0868a7a | 998 | allow $1 xserver_log_t:dir list_dir_perms; |
0bfccda4 CP |
999 | delete_files_pattern($1, xserver_log_t, xserver_log_t) |
1000 | delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) | |
5a975c1e | 1001 | ') |
c8d5b357 CP |
1002 | |
1003 | ######################################## | |
1004 | ## <summary> | |
1005 | ## Read X keyboard extension libraries. | |
1006 | ## </summary> | |
1007 | ## <param name="domain"> | |
1008 | ## <summary> | |
a7ee7f81 | 1009 | ## Domain allowed access. |
c8d5b357 CP |
1010 | ## </summary> |
1011 | ## </param> | |
1012 | # | |
1013 | interface(`xserver_read_xkb_libs',` | |
1014 | gen_require(` | |
1015 | type xkb_var_lib_t; | |
1016 | ') | |
1017 | ||
1018 | files_search_var_lib($1) | |
1019 | allow $1 xkb_var_lib_t:dir list_dir_perms; | |
0bfccda4 CP |
1020 | read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) |
1021 | read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) | |
c8d5b357 CP |
1022 | ') |
1023 | ||
3eaa9939 DW |
1024 | ######################################## |
1025 | ## <summary> | |
1026 | ## Read xdm config files. | |
1027 | ## </summary> | |
1028 | ## <param name="domain"> | |
1029 | ## <summary> | |
1030 | ## Domain to not audit | |
1031 | ## </summary> | |
1032 | ## </param> | |
1033 | # | |
1034 | interface(`xserver_read_xdm_etc_files',` | |
1035 | gen_require(` | |
1036 | type xdm_etc_t; | |
1037 | ') | |
1038 | ||
2d102f84 | 1039 | files_search_etc($1) |
3eaa9939 DW |
1040 | read_files_pattern($1, xdm_etc_t, xdm_etc_t) |
1041 | ') | |
1042 | ||
1043 | ######################################## | |
1044 | ## <summary> | |
1045 | ## Manage xdm config files. | |
1046 | ## </summary> | |
1047 | ## <param name="domain"> | |
1048 | ## <summary> | |
1049 | ## Domain to not audit | |
1050 | ## </summary> | |
1051 | ## </param> | |
1052 | # | |
1053 | interface(`xserver_manage_xdm_etc_files',` | |
1054 | gen_require(` | |
1055 | type xdm_etc_t; | |
1056 | ') | |
1057 | ||
2d102f84 | 1058 | files_search_etc($1) |
3eaa9939 DW |
1059 | manage_files_pattern($1, xdm_etc_t, xdm_etc_t) |
1060 | ') | |
1061 | ||
eac818f0 CP |
1062 | ######################################## |
1063 | ## <summary> | |
1064 | ## Read xdm temporary files. | |
1065 | ## </summary> | |
1066 | ## <param name="domain"> | |
1067 | ## <summary> | |
a7ee7f81 | 1068 | ## Domain allowed access. |
eac818f0 CP |
1069 | ## </summary> |
1070 | ## </param> | |
1071 | # | |
1072 | interface(`xserver_read_xdm_tmp_files',` | |
1073 | gen_require(` | |
1074 | type xdm_tmp_t; | |
1075 | ') | |
1076 | ||
2d102f84 | 1077 | files_search_tmp($1) |
0bfccda4 | 1078 | read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) |
eac818f0 CP |
1079 | ') |
1080 | ||
6b19be33 CP |
1081 | ######################################## |
1082 | ## <summary> | |
1083 | ## Do not audit attempts to read xdm temporary files. | |
1084 | ## </summary> | |
1085 | ## <param name="domain"> | |
1086 | ## <summary> | |
a7ee7f81 | 1087 | ## Domain to not audit. |
6b19be33 CP |
1088 | ## </summary> |
1089 | ## </param> | |
1090 | # | |
1091 | interface(`xserver_dontaudit_read_xdm_tmp_files',` | |
1092 | gen_require(` | |
1093 | type xdm_tmp_t; | |
1094 | ') | |
1095 | ||
1096 | dontaudit $1 xdm_tmp_t:dir search_dir_perms; | |
ef659a47 | 1097 | dontaudit $1 xdm_tmp_t:file read_file_perms; |
6b19be33 CP |
1098 | ') |
1099 | ||
1100 | ######################################## | |
1101 | ## <summary> | |
1102 | ## Read write xdm temporary files. | |
1103 | ## </summary> | |
1104 | ## <param name="domain"> | |
1105 | ## <summary> | |
a7ee7f81 | 1106 | ## Domain allowed access. |
6b19be33 CP |
1107 | ## </summary> |
1108 | ## </param> | |
1109 | # | |
1110 | interface(`xserver_rw_xdm_tmp_files',` | |
1111 | gen_require(` | |
1112 | type xdm_tmp_t; | |
1113 | ') | |
1114 | ||
1115 | allow $1 xdm_tmp_t:dir search_dir_perms; | |
1116 | allow $1 xdm_tmp_t:file rw_file_perms; | |
1117 | ') | |
1118 | ||
1119 | ######################################## | |
1120 | ## <summary> | |
1121 | ## Create, read, write, and delete xdm temporary files. | |
1122 | ## </summary> | |
1123 | ## <param name="domain"> | |
1124 | ## <summary> | |
a7ee7f81 | 1125 | ## Domain allowed access. |
6b19be33 CP |
1126 | ## </summary> |
1127 | ## </param> | |
1128 | # | |
1129 | interface(`xserver_manage_xdm_tmp_files',` | |
1130 | gen_require(` | |
1131 | type xdm_tmp_t; | |
1132 | ') | |
1133 | ||
0bfccda4 | 1134 | manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) |
6b19be33 CP |
1135 | ') |
1136 | ||
1137 | ######################################## | |
1138 | ## <summary> | |
a7ee7f81 CP |
1139 | ## Do not audit attempts to get the attributes of |
1140 | ## xdm temporary named sockets. | |
6b19be33 CP |
1141 | ## </summary> |
1142 | ## <param name="domain"> | |
1143 | ## <summary> | |
a7ee7f81 | 1144 | ## Domain to not audit. |
6b19be33 CP |
1145 | ## </summary> |
1146 | ## </param> | |
1147 | # | |
1148 | interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` | |
1149 | gen_require(` | |
1150 | type xdm_tmp_t; | |
1151 | ') | |
1152 | ||
59c03405 | 1153 | dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; |
6b19be33 CP |
1154 | ') |
1155 | ||
75beb950 CP |
1156 | ######################################## |
1157 | ## <summary> | |
296273a7 CP |
1158 | ## Execute the X server in the X server domain. |
1159 | ## </summary> | |
1160 | ## <param name="domain"> | |
1161 | ## <summary> | |
288845a6 | 1162 | ## Domain allowed to transition. |
296273a7 CP |
1163 | ## </summary> |
1164 | ## </param> | |
1165 | # | |
1166 | interface(`xserver_domtrans',` | |
1167 | gen_require(` | |
1168 | type xserver_t, xserver_exec_t; | |
1169 | ') | |
1170 | ||
2d102f84 | 1171 | allow $1 xserver_t:process siginh; |
296273a7 | 1172 | domtrans_pattern($1, xserver_exec_t, xserver_t) |
c6fa935f DW |
1173 | |
1174 | allow xserver_t $1:process getpgid; | |
296273a7 CP |
1175 | ') |
1176 | ||
1177 | ######################################## | |
1178 | ## <summary> | |
1179 | ## Signal X servers | |
75beb950 CP |
1180 | ## </summary> |
1181 | ## <param name="domain"> | |
1182 | ## <summary> | |
a7ee7f81 | 1183 | ## Domain allowed access. |
75beb950 CP |
1184 | ## </summary> |
1185 | ## </param> | |
1186 | # | |
296273a7 | 1187 | interface(`xserver_signal',` |
75beb950 | 1188 | gen_require(` |
296273a7 | 1189 | type xserver_t; |
75beb950 CP |
1190 | ') |
1191 | ||
296273a7 | 1192 | allow $1 xserver_t:process signal; |
75beb950 CP |
1193 | ') |
1194 | ||
c8d5b357 CP |
1195 | ######################################## |
1196 | ## <summary> | |
296273a7 | 1197 | ## Kill X servers |
c8d5b357 CP |
1198 | ## </summary> |
1199 | ## <param name="domain"> | |
1200 | ## <summary> | |
a7ee7f81 | 1201 | ## Domain allowed access. |
c8d5b357 CP |
1202 | ## </summary> |
1203 | ## </param> | |
1204 | # | |
296273a7 CP |
1205 | interface(`xserver_kill',` |
1206 | gen_require(` | |
1207 | type xserver_t; | |
1208 | ') | |
1209 | ||
1210 | allow $1 xserver_t:process sigkill; | |
1211 | ') | |
1212 | ||
1213 | ######################################## | |
1214 | ## <summary> | |
1215 | ## Read and write X server Sys V Shared | |
1216 | ## memory segments. | |
1217 | ## </summary> | |
1218 | ## <param name="domain"> | |
1219 | ## <summary> | |
1220 | ## Domain allowed access. | |
1221 | ## </summary> | |
1222 | ## </param> | |
1223 | # | |
1224 | interface(`xserver_rw_shm',` | |
c8d5b357 | 1225 | gen_require(` |
296273a7 | 1226 | type xserver_t; |
c8d5b357 CP |
1227 | ') |
1228 | ||
296273a7 | 1229 | allow $1 xserver_t:shm rw_shm_perms; |
c8d5b357 CP |
1230 | ') |
1231 | ||
1232 | ######################################## | |
1233 | ## <summary> | |
1234 | ## Do not audit attempts to read and write to | |
296273a7 | 1235 | ## X server sockets. |
c8d5b357 CP |
1236 | ## </summary> |
1237 | ## <param name="domain"> | |
1238 | ## <summary> | |
a7ee7f81 | 1239 | ## Domain to not audit. |
c8d5b357 CP |
1240 | ## </summary> |
1241 | ## </param> | |
1242 | # | |
296273a7 | 1243 | interface(`xserver_dontaudit_rw_tcp_sockets',` |
c8d5b357 | 1244 | gen_require(` |
296273a7 | 1245 | type xserver_t; |
c8d5b357 CP |
1246 | ') |
1247 | ||
296273a7 | 1248 | dontaudit $1 xserver_t:tcp_socket { read write }; |
c8d5b357 | 1249 | ') |
522b59bb | 1250 | |
6b19be33 CP |
1251 | ######################################## |
1252 | ## <summary> | |
296273a7 | 1253 | ## Do not audit attempts to read and write X server |
6b19be33 CP |
1254 | ## unix domain stream sockets. |
1255 | ## </summary> | |
1256 | ## <param name="domain"> | |
1257 | ## <summary> | |
288845a6 | 1258 | ## Domain to not audit. |
6b19be33 CP |
1259 | ## </summary> |
1260 | ## </param> | |
1261 | # | |
296273a7 | 1262 | interface(`xserver_dontaudit_rw_stream_sockets',` |
6b19be33 | 1263 | gen_require(` |
296273a7 | 1264 | type xserver_t; |
6b19be33 CP |
1265 | ') |
1266 | ||
296273a7 | 1267 | dontaudit $1 xserver_t:unix_stream_socket { read write }; |
6b19be33 CP |
1268 | ') |
1269 | ||
522b59bb CP |
1270 | ######################################## |
1271 | ## <summary> | |
296273a7 | 1272 | ## Connect to the X server over a unix domain |
522b59bb CP |
1273 | ## stream socket. |
1274 | ## </summary> | |
1275 | ## <param name="domain"> | |
1276 | ## <summary> | |
1277 | ## Domain allowed access. | |
1278 | ## </summary> | |
1279 | ## </param> | |
1280 | # | |
f79af266 | 1281 | interface(`xserver_stream_connect',` |
522b59bb | 1282 | gen_require(` |
296273a7 | 1283 | type xserver_t, xserver_tmp_t; |
522b59bb CP |
1284 | ') |
1285 | ||
1286 | files_search_tmp($1) | |
296273a7 | 1287 | stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) |
0745e425 | 1288 | allow xserver_t $1:shm rw_shm_perms; |
522b59bb | 1289 | ') |
2c12b471 | 1290 | |
21ea2b18 CP |
1291 | ######################################## |
1292 | ## <summary> | |
296273a7 | 1293 | ## Read X server temporary files. |
21ea2b18 CP |
1294 | ## </summary> |
1295 | ## <param name="domain"> | |
1296 | ## <summary> | |
a7ee7f81 | 1297 | ## Domain allowed access. |
21ea2b18 CP |
1298 | ## </summary> |
1299 | ## </param> | |
1300 | # | |
296273a7 | 1301 | interface(`xserver_read_tmp_files',` |
21ea2b18 | 1302 | gen_require(` |
296273a7 | 1303 | type xserver_tmp_t; |
21ea2b18 CP |
1304 | ') |
1305 | ||
296273a7 CP |
1306 | allow $1 xserver_tmp_t:file read_file_perms; |
1307 | files_search_tmp($1) | |
21ea2b18 CP |
1308 | ') |
1309 | ||
5242ecce EW |
1310 | ######################################## |
1311 | ## <summary> | |
1312 | ## Interface to provide X object permissions on a given X server to | |
1313 | ## an X client domain. Gives the domain permission to read the | |
2d102f84 | 1314 | ## virtual core keyboard and virtual core pointer devices. |
5242ecce EW |
1315 | ## </summary> |
1316 | ## <param name="domain"> | |
1317 | ## <summary> | |
1318 | ## Domain allowed access. | |
1319 | ## </summary> | |
1320 | ## </param> | |
1321 | # | |
1322 | interface(`xserver_manage_core_devices',` | |
1323 | gen_require(` | |
2f94f460 | 1324 | type xserver_t, root_xdrawable_t; |
5242ecce EW |
1325 | class x_device all_x_device_perms; |
1326 | class x_pointer all_x_pointer_perms; | |
1327 | class x_keyboard all_x_keyboard_perms; | |
3eaa9939 DW |
1328 | class x_screen all_x_screen_perms; |
1329 | class x_drawable { manage }; | |
3eaa9939 DW |
1330 | attribute x_domain; |
1331 | class x_drawable { read manage setattr show }; | |
1332 | class x_resource { write read }; | |
5242ecce EW |
1333 | ') |
1334 | ||
1335 | allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; | |
3eaa9939 DW |
1336 | allow $1 xserver_t:{ x_screen } setattr; |
1337 | ||
1338 | allow $1 x_domain:x_drawable { read manage setattr show }; | |
1339 | allow $1 x_domain:x_resource { write read }; | |
1340 | allow $1 root_xdrawable_t:x_drawable { manage read }; | |
5242ecce EW |
1341 | ') |
1342 | ||
2c12b471 CP |
1343 | ######################################## |
1344 | ## <summary> | |
1345 | ## Interface to provide X object permissions on a given X server to | |
1346 | ## an X client domain. Gives the domain complete control over the | |
1347 | ## display. | |
1348 | ## </summary> | |
1349 | ## <param name="domain"> | |
1350 | ## <summary> | |
1351 | ## Domain allowed access. | |
1352 | ## </summary> | |
1353 | ## </param> | |
1354 | # | |
1355 | interface(`xserver_unconfined',` | |
1356 | gen_require(` | |
2f94f460 | 1357 | attribute x_domain, xserver_unconfined_type; |
2c12b471 CP |
1358 | ') |
1359 | ||
5242ecce | 1360 | typeattribute $1 x_domain; |
2c12b471 CP |
1361 | typeattribute $1 xserver_unconfined_type; |
1362 | ') | |
3eaa9939 DW |
1363 | |
1364 | ######################################## | |
1365 | ## <summary> | |
1366 | ## Dontaudit append to .xsession-errors file | |
1367 | ## </summary> | |
1368 | ## <param name="domain"> | |
1369 | ## <summary> | |
1370 | ## Domain to not audit | |
1371 | ## </summary> | |
1372 | ## </param> | |
1373 | # | |
1374 | interface(`xserver_dontaudit_append_xdm_home_files',` | |
1375 | gen_require(` | |
2f94f460 | 1376 | type xdm_home_t, xserver_tmp_t; |
3eaa9939 DW |
1377 | ') |
1378 | ||
1379 | dontaudit $1 xdm_home_t:file rw_inherited_file_perms; | |
1380 | dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; | |
1381 | ||
1382 | tunable_policy(`use_nfs_home_dirs',` | |
1383 | fs_dontaudit_rw_nfs_files($1) | |
1384 | ') | |
1385 | ||
1386 | tunable_policy(`use_samba_home_dirs',` | |
1387 | fs_dontaudit_rw_cifs_files($1) | |
1388 | ') | |
1389 | ') | |
1390 | ||
1391 | ######################################## | |
1392 | ## <summary> | |
1393 | ## append to .xsession-errors file | |
1394 | ## </summary> | |
1395 | ## <param name="domain"> | |
1396 | ## <summary> | |
1397 | ## Domain to not audit | |
1398 | ## </summary> | |
1399 | ## </param> | |
1400 | # | |
1401 | interface(`xserver_append_xdm_home_files',` | |
1402 | gen_require(` | |
2f94f460 | 1403 | type xdm_home_t, xserver_tmp_t; |
3eaa9939 DW |
1404 | ') |
1405 | ||
1406 | allow $1 xdm_home_t:file append_file_perms; | |
1407 | allow $1 xserver_tmp_t:file append_file_perms; | |
1408 | ||
1409 | tunable_policy(`use_nfs_home_dirs',` | |
1410 | fs_append_nfs_files($1) | |
1411 | ') | |
1412 | ||
1413 | tunable_policy(`use_samba_home_dirs',` | |
1414 | fs_append_cifs_files($1) | |
1415 | ') | |
1416 | ') | |
1417 | ||
1418 | ######################################## | |
1419 | ## <summary> | |
1420 | ## Manage the xdm_spool files | |
1421 | ## </summary> | |
1422 | ## <param name="domain"> | |
1423 | ## <summary> | |
1424 | ## Domain allowed access. | |
1425 | ## </summary> | |
1426 | ## </param> | |
1427 | # | |
1428 | interface(`xserver_xdm_manage_spool',` | |
1429 | gen_require(` | |
1430 | type xdm_spool_t; | |
1431 | ') | |
1432 | ||
1433 | files_search_spool($1) | |
1434 | manage_files_pattern($1, xdm_spool_t, xdm_spool_t) | |
1435 | ') | |
1436 | ||
1437 | ######################################## | |
1438 | ## <summary> | |
1439 | ## Send and receive messages from | |
1440 | ## xdm over dbus. | |
1441 | ## </summary> | |
1442 | ## <param name="domain"> | |
1443 | ## <summary> | |
1444 | ## Domain allowed access. | |
1445 | ## </summary> | |
1446 | ## </param> | |
1447 | # | |
1448 | interface(`xserver_dbus_chat_xdm',` | |
1449 | gen_require(` | |
1450 | type xdm_t; | |
1451 | class dbus send_msg; | |
1452 | ') | |
1453 | ||
1454 | allow $1 xdm_t:dbus send_msg; | |
1455 | allow xdm_t $1:dbus send_msg; | |
1456 | ') | |
1457 | ||
1458 | ######################################## | |
1459 | ## <summary> | |
1460 | ## Read xserver files created in /var/run | |
1461 | ## </summary> | |
1462 | ## <param name="domain"> | |
1463 | ## <summary> | |
1464 | ## Domain allowed access. | |
1465 | ## </summary> | |
1466 | ## </param> | |
1467 | # | |
1468 | interface(`xserver_read_pid',` | |
1469 | gen_require(` | |
1470 | type xserver_var_run_t; | |
1471 | ') | |
1472 | ||
1473 | files_search_pids($1) | |
1474 | read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) | |
1475 | ') | |
1476 | ||
1477 | ######################################## | |
1478 | ## <summary> | |
1479 | ## Execute xserver files created in /var/run | |
1480 | ## </summary> | |
1481 | ## <param name="domain"> | |
1482 | ## <summary> | |
1483 | ## Domain allowed access. | |
1484 | ## </summary> | |
1485 | ## </param> | |
1486 | # | |
1487 | interface(`xserver_exec_pid',` | |
1488 | gen_require(` | |
1489 | type xserver_var_run_t; | |
1490 | ') | |
1491 | ||
1492 | files_search_pids($1) | |
1493 | exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) | |
1494 | ') | |
1495 | ||
1496 | ######################################## | |
1497 | ## <summary> | |
1498 | ## Write xserver files created in /var/run | |
1499 | ## </summary> | |
1500 | ## <param name="domain"> | |
1501 | ## <summary> | |
1502 | ## Domain allowed access. | |
1503 | ## </summary> | |
1504 | ## </param> | |
1505 | # | |
1506 | interface(`xserver_write_pid',` | |
1507 | gen_require(` | |
1508 | type xserver_var_run_t; | |
1509 | ') | |
1510 | ||
1511 | files_search_pids($1) | |
1512 | write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) | |
1513 | ') | |
1514 | ||
1515 | ######################################## | |
1516 | ## <summary> | |
1517 | ## Allow append the xdm | |
1518 | ## log files. | |
1519 | ## </summary> | |
1520 | ## <param name="domain"> | |
1521 | ## <summary> | |
1522 | ## Domain to not audit | |
1523 | ## </summary> | |
1524 | ## </param> | |
1525 | # | |
1526 | interface(`xserver_xdm_append_log',` | |
1527 | gen_require(` | |
1528 | type xdm_log_t; | |
1529 | attribute xdmhomewriter; | |
1530 | ') | |
1531 | ||
1532 | typeattribute $1 xdmhomewriter; | |
1533 | append_files_pattern($1, xdm_log_t, xdm_log_t) | |
1534 | ') | |
1535 | ||
1536 | ######################################## | |
1537 | ## <summary> | |
1538 | ## Read a user Iceauthority domain. | |
1539 | ## </summary> | |
1540 | ## <param name="domain"> | |
1541 | ## <summary> | |
1542 | ## Domain allowed access. | |
1543 | ## </summary> | |
1544 | ## </param> | |
1545 | # | |
1546 | template(`xserver_read_user_iceauth',` | |
1547 | gen_require(` | |
1548 | type iceauth_home_t; | |
1549 | ') | |
1550 | ||
1551 | # Read .Iceauthority file | |
1552 | allow $1 iceauth_home_t:file read_file_perms; | |
1553 | ') | |
1554 | ||
1555 | ######################################## | |
1556 | ## <summary> | |
1557 | ## Read user homedir fonts. | |
1558 | ## </summary> | |
1559 | ## <param name="domain"> | |
1560 | ## <summary> | |
1561 | ## Domain allowed access. | |
1562 | ## </summary> | |
1563 | ## </param> | |
3eaa9939 DW |
1564 | # |
1565 | interface(`xserver_rw_inherited_user_fonts',` | |
1566 | gen_require(` | |
2f94f460 | 1567 | type user_fonts_t, user_fonts_config_t; |
3eaa9939 DW |
1568 | ') |
1569 | ||
1570 | allow $1 user_fonts_t:file rw_inherited_file_perms; | |
1571 | allow $1 user_fonts_t:file read_lnk_file_perms; | |
1572 | ||
1573 | allow $1 user_fonts_config_t:file rw_inherited_file_perms; | |
1574 | ') | |
1575 | ||
1576 | ######################################## | |
1577 | ## <summary> | |
1578 | ## Search XDM var lib dirs. | |
1579 | ## </summary> | |
1580 | ## <param name="domain"> | |
1581 | ## <summary> | |
1582 | ## Domain allowed access. | |
1583 | ## </summary> | |
1584 | ## </param> | |
1585 | # | |
1586 | interface(`xserver_search_xdm_lib',` | |
1587 | gen_require(` | |
1588 | type xdm_var_lib_t; | |
1589 | ') | |
1590 | ||
1591 | allow $1 xdm_var_lib_t:dir search_dir_perms; | |
1592 | ') | |
1593 | ||
3eaa9939 DW |
1594 | ######################################## |
1595 | ## <summary> | |
1596 | ## Make an X executable an entrypoint for the specified domain. | |
1597 | ## </summary> | |
1598 | ## <param name="domain"> | |
1599 | ## <summary> | |
1600 | ## The domain for which the shell is an entrypoint. | |
1601 | ## </summary> | |
1602 | ## </param> | |
1603 | # | |
1604 | interface(`xserver_entry_type',` | |
1605 | gen_require(` | |
1606 | type xserver_exec_t; | |
1607 | ') | |
1608 | ||
1609 | domain_entry_file($1, xserver_exec_t) | |
1610 | ') | |
1611 | ||
1612 | ######################################## | |
1613 | ## <summary> | |
1614 | ## Execute xsever in the xserver domain, and | |
1615 | ## allow the specified role the xserver domain. | |
1616 | ## </summary> | |
1617 | ## <param name="domain"> | |
1618 | ## <summary> | |
1619 | ## Domain allowed access. | |
1620 | ## </summary> | |
1621 | ## </param> | |
1622 | ## <param name="role"> | |
1623 | ## <summary> | |
1624 | ## The role to be allowed the xserver domain. | |
1625 | ## </summary> | |
1626 | ## </param> | |
9c9e4c81 | 1627 | ## <rolecap/> |
3eaa9939 DW |
1628 | # |
1629 | interface(`xserver_run',` | |
1630 | gen_require(` | |
1631 | type xserver_t; | |
1632 | ') | |
1633 | ||
1634 | xserver_domtrans($1) | |
1635 | role $2 types xserver_t; | |
1636 | ') | |
1637 | ||
1638 | ######################################## | |
1639 | ## <summary> | |
1640 | ## Execute xsever in the xserver domain, and | |
1641 | ## allow the specified role the xserver domain. | |
1642 | ## </summary> | |
1643 | ## <param name="domain"> | |
1644 | ## <summary> | |
1645 | ## Domain allowed access. | |
1646 | ## </summary> | |
1647 | ## </param> | |
1648 | ## <param name="role"> | |
1649 | ## <summary> | |
1650 | ## The role to be allowed the xserver domain. | |
1651 | ## </summary> | |
1652 | ## </param> | |
9c9e4c81 | 1653 | ## <rolecap/> |
3eaa9939 DW |
1654 | # |
1655 | interface(`xserver_run_xauth',` | |
1656 | gen_require(` | |
1657 | type xauth_t; | |
1658 | ') | |
1659 | ||
1660 | xserver_domtrans_xauth($1) | |
1661 | role $2 types xauth_t; | |
1662 | ') | |
1663 | ######################################## | |
1664 | ## <summary> | |
1665 | ## Read user homedir fonts. | |
1666 | ## </summary> | |
1667 | ## <param name="domain"> | |
1668 | ## <summary> | |
1669 | ## Domain allowed access. | |
1670 | ## </summary> | |
1671 | ## </param> | |
1672 | ## <rolecap/> | |
1673 | # | |
1674 | interface(`xserver_manage_home_fonts',` | |
1675 | gen_require(` | |
2f94f460 | 1676 | type user_fonts_t, user_fonts_config_t; |
3eaa9939 DW |
1677 | ') |
1678 | ||
1679 | manage_dirs_pattern($1, user_fonts_t, user_fonts_t) | |
1680 | manage_files_pattern($1, user_fonts_t, user_fonts_t) | |
1681 | manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) | |
1682 | ||
1683 | manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) | |
1684 | ') |