]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/xserver.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / services / xserver.if
CommitLineData
488ec7bd
CP		 1## <summary>X Windows Server</summary>
2
296273a7 3########################################
488ec7bd 4## <summary>
296273a7 5## Rules required for using the X Windows server
93c49bdb 6## and environment, for restricted users.
488ec7bd 7## </summary>
296273a7 8## <param name="role">
885b83ec 9## <summary>
296273a7 10## Role allowed access.
885b83ec 11## </summary>
488ec7bd 12## </param>
296273a7 13## <param name="domain">
885b83ec 14## <summary>
296273a7 15## Domain allowed access.
885b83ec 16## </summary>
488ec7bd
CP		 17## </param>
18#
93c49bdb 19interface(`xserver_restricted_role',`
563e58e8 20 gen_require(`
296273a7 21 type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
3eaa9939 22 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
296273a7
CP		 23 type iceauth_t, iceauth_exec_t, iceauth_home_t;
24 type xauth_t, xauth_exec_t, xauth_home_t;
3eaa9939 25 class dbus send_msg;
296273a7 26 ')
acd87ca9 27
296273a7 28 role $1 types { xserver_t xauth_t iceauth_t };
acd87ca9 29
93c49bdb
CP		 30 # Xserver read/write client shm
31 allow xserver_t $2:fd use;
32 allow xserver_t $2:shm rw_shm_perms;
33
296273a7 34 domtrans_pattern($2, xserver_exec_t, xserver_t)
3eaa9939 35 allow xserver_t $2:process { getpgid signal };
488ec7bd 36
296273a7 37 allow xserver_t $2:shm rw_shm_perms;
488ec7bd 38
93c49bdb
CP		 39 allow $2 user_fonts_t:dir list_dir_perms;
40 allow $2 user_fonts_t:file read_file_perms;
dfe675b8 41 allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
93c49bdb
CP		 42
43 allow $2 user_fonts_config_t:dir list_dir_perms;
44 allow $2 user_fonts_config_t:file read_file_perms;
1786478c 45
296273a7
CP		 46 manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
47 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
1786478c 48
296273a7 49 stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
3eaa9939 50 allow $2 xserver_tmp_t:sock_file unlink;
93c49bdb 51 files_search_tmp($2)
488ec7bd
CP		 52
53 # Communicate via System V shared memory.
93c49bdb
CP		 54 allow $2 xserver_t:shm r_shm_perms;
55 allow $2 xserver_tmpfs_t:file read_file_perms;
acd87ca9 56
296273a7
CP		 57 # allow ps to show iceauth
58 ps_process_pattern($2, iceauth_t)
acd87ca9 59
296273a7 60 domtrans_pattern($2, iceauth_exec_t, iceauth_t)
acd87ca9 61
93c49bdb 62 allow $2 iceauth_home_t:file read_file_perms;
acd87ca9 63
296273a7 64 domtrans_pattern($2, xauth_exec_t, xauth_t)
acd87ca9 65
296273a7 66 allow $2 xauth_t:process signal;
acd87ca9 67
3b311307 68 # allow ps to show xauth
3f67f722 69 ps_process_pattern($2, xauth_t)
93c49bdb 70 allow $2 xserver_t:process signal;
acd87ca9 71
93c49bdb
CP		 72 allow $2 xauth_home_t:file read_file_perms;
73
74 # for when /tmp/.X11-unix is created by the system
75 allow $2 xdm_t:fd use;
59c03405 76 allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
3eaa9939 77 allow $2 xdm_tmp_t:dir search_dir_perms;
59c03405 78 allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
93c49bdb 79 dontaudit $2 xdm_t:tcp_socket { read write };
59c03405 80 dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
3eaa9939
DW		 81
82 allow $2 xdm_t:dbus send_msg;
83 allow xdm_t $2:dbus send_msg;
93c49bdb
CP		 84
85 # Client read xserver shm
86 allow $2 xserver_t:fd use;
87 allow $2 xserver_tmpfs_t:file read_file_perms;
88
89 # Read /tmp/.X0-lock
59c03405 90 allow $2 xserver_tmp_t:file read_inherited_file_perms;
93c49bdb
CP		 91
92 dev_rw_xserver_misc($2)
93 dev_rw_power_management($2)
94 dev_read_input($2)
95 dev_read_misc($2)
96 dev_write_misc($2)
97 # open office is looking for the following
98 dev_getattr_agp_dev($2)
3eaa9939 99
93c49bdb
CP		 100 # GNOME checks for usb and other devices:
101 dev_rw_usbfs($2)
102
103 miscfiles_read_fonts($2)
3eaa9939 104 miscfiles_setattr_fonts_cache_dirs($2)
acd87ca9 105
296273a7 106 xserver_common_x_domain_template(user, $2)
93c49bdb
CP		 107 xserver_xsession_entry_type($2)
108 xserver_dontaudit_write_log($2)
109 xserver_stream_connect_xdm($2)
110 # certain apps want to read xdm.pid file
111 xserver_read_xdm_pid($2)
112 # gnome-session creates socket under /tmp/.ICE-unix/
113 xserver_create_xdm_tmp_sockets($2)
114 # Needed for escd, remove if we get escd policy
115 xserver_manage_xdm_tmp_files($2)
116
2d102f84 117 ifdef(`hide_broken_symptoms',`
60d27bf8
DG		 118 dontaudit iceauth_t $2:socket_class_set { read write };
119 ')
120
93c49bdb
CP		 121 # Client write xserver shm
122 tunable_policy(`allow_write_xshm',`
123 allow $2 xserver_t:shm rw_shm_perms;
124 allow $2 xserver_tmpfs_t:file rw_file_perms;
125 ')
60d27bf8
DG		 126
127 tunable_policy(`user_direct_dri',`
128 dev_rw_dri($2)
129 ')
488ec7bd
CP		 130')
131
93c49bdb
CP		 132########################################
133## <summary>
134## Rules required for using the X Windows server
135## and environment.
136## </summary>
137## <param name="role">
138## <summary>
139## Role allowed access.
140## </summary>
141## </param>
142## <param name="domain">
143## <summary>
144## Domain allowed access.
145## </summary>
146## </param>
147#
148interface(`xserver_role',`
149 gen_require(`
150 type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
151 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
152 ')
153
154 xserver_restricted_role($1, $2)
155
156 # Communicate via System V shared memory.
157 allow $2 xserver_t:shm rw_shm_perms;
158 allow $2 xserver_tmpfs_t:file rw_file_perms;
159
160 allow $2 iceauth_home_t:file manage_file_perms;
a3d20a3c 161 allow $2 iceauth_home_t:file relabel_file_perms;
93c49bdb
CP		 162
163 allow $2 xauth_home_t:file manage_file_perms;
a3d20a3c 164 allow $2 xauth_home_t:file relabel_file_perms;
93c49bdb 165
3eaa9939 166 mls_xwin_read_to_clearance($2)
93c49bdb
CP		 167 manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
168 manage_files_pattern($2, user_fonts_t, user_fonts_t)
dfe675b8 169 allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
93c49bdb
CP		 170 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
171 relabel_files_pattern($2, user_fonts_t, user_fonts_t)
172
173 manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
174 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
175 relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
176 relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
177
178 manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
179 manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
180 relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
181 relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
93c49bdb
CP		 182')
183
24a63797
CP		 184#######################################
185## <summary>
296273a7 186## Create sessions on the X server, with read-only
24a63797
CP		 187## access to the X server shared
188## memory segments.
189## </summary>
24a63797
CP		 190## <param name="domain">
191## <summary>
192## Domain allowed access.
193## </summary>
194## </param>
195## <param name="tmpfs_type">
196## <summary>
197## The type of the domain SYSV tmpfs files.
198## </summary>
199## </param>
200#
296273a7 201interface(`xserver_ro_session',`
24a63797 202 gen_require(`
296273a7 203 type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
24a63797
CP		 204 ')
205
206 # Xserver read/write client shm
296273a7
CP		 207 allow xserver_t $1:fd use;
208 allow xserver_t $1:shm rw_shm_perms;
209 allow xserver_t $2:file rw_file_perms;
24a63797
CP		 210
211 # Connect to xserver
296273a7
CP		 212 allow $1 xserver_t:unix_stream_socket connectto;
213 allow $1 xserver_t:process signal;
24a63797
CP		 214
215 # Read /tmp/.X0-lock
3eaa9939 216 allow $1 xserver_tmp_t:file read_file_perms;
24a63797
CP		 217
218 # Client read xserver shm
296273a7
CP		 219 allow $1 xserver_t:fd use;
220 allow $1 xserver_t:shm r_shm_perms;
221 allow $1 xserver_tmpfs_t:file read_file_perms;
24a63797
CP		 222')
223
224#######################################
225## <summary>
296273a7 226## Create sessions on the X server, with read and write
24a63797
CP		 227## access to the X server shared
228## memory segments.
229## </summary>
24a63797
CP		 230## <param name="domain">
231## <summary>
232## Domain allowed access.
233## </summary>
234## </param>
235## <param name="tmpfs_type">
236## <summary>
237## The type of the domain SYSV tmpfs files.
238## </summary>
239## </param>
240#
296273a7 241interface(`xserver_rw_session',`
24a63797 242 gen_require(`
296273a7 243 type xserver_t, xserver_tmpfs_t;
24a63797
CP		 244 ')
245
296273a7
CP		 246 xserver_ro_session($1,$2)
247 allow $1 xserver_t:shm rw_shm_perms;
248 allow $1 xserver_tmpfs_t:file rw_file_perms;
24a63797
CP		 249')
250
6246e7d3
CP		 251#######################################
252## <summary>
253## Create non-drawing client sessions on an X server.
254## </summary>
255## <param name="domain">
256## <summary>
257## Domain allowed access.
258## </summary>
259## </param>
260#
261interface(`xserver_non_drawing_client',`
262 gen_require(`
263 class x_drawable { getattr get_property };
264 class x_extension { query use };
265 class x_gc { create setattr };
266 class x_property read;
267
268 type xserver_t, xdm_var_run_t;
269 type xextension_t, xproperty_t, root_xdrawable_t;
270 ')
271
272 allow $1 self:x_gc { create setattr };
273
274 allow $1 xdm_var_run_t:dir search;
275 allow $1 xserver_t:unix_stream_socket connectto;
276
277 allow $1 xextension_t:x_extension { query use };
278 allow $1 root_xdrawable_t:x_drawable { getattr get_property };
279 allow $1 xproperty_t:x_property read;
280')
281
24a63797
CP		 282#######################################
283## <summary>
296273a7 284## Create full client sessions
24a63797
CP		 285## on a user X server.
286## </summary>
24a63797
CP		 287## <param name="domain">
288## <summary>
289## Domain allowed access.
290## </summary>
291## </param>
292## <param name="tmpfs_type">
293## <summary>
294## The type of the domain SYSV tmpfs files.
295## </summary>
296## </param>
297#
296273a7 298interface(`xserver_user_client',`
4279891d 299 refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
24a63797
CP		 300 gen_require(`
301 type xdm_t, xdm_tmp_t;
296273a7 302 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
24a63797
CP		 303 ')
304
296273a7
CP		 305 allow $1 self:shm create_shm_perms;
306 allow $1 self:unix_dgram_socket create_socket_perms;
307 allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
24a63797
CP		 308
309 # Read .Xauthority file
3eaa9939
DW		 310 allow $1 xauth_home_t:file read_file_perms;
311 allow $1 iceauth_home_t:file read_file_perms;
24a63797
CP		 312
313 # for when /tmp/.X11-unix is created by the system
296273a7 314 allow $1 xdm_t:fd use;
3eaa9939 315 allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
296273a7
CP		 316 allow $1 xdm_tmp_t:dir search;
317 allow $1 xdm_tmp_t:sock_file { read write };
318 dontaudit $1 xdm_t:tcp_socket { read write };
24a63797
CP		 319
320 # Allow connections to X server.
296273a7 321 files_search_tmp($1)
24a63797 322
296273a7 323 miscfiles_read_fonts($1)
24a63797 324
296273a7 325 userdom_search_user_home_dirs($1)
24a63797 326 # for .xsession-errors
296273a7 327 userdom_dontaudit_write_user_home_content_files($1)
24a63797 328
296273a7
CP		 329 xserver_ro_session($1,$2)
330 xserver_use_user_fonts($1)
24a63797 331
296273a7 332 xserver_read_xdm_tmp_files($1)
6b19be33 333
24a63797
CP		 334 # Client write xserver shm
335 tunable_policy(`allow_write_xshm',`
296273a7
CP		 336 allow $1 xserver_t:shm rw_shm_perms;
337 allow $1 xserver_tmpfs_t:file rw_file_perms;
24a63797 338 ')
1786478c 339')
24a63797 340
2c12b471
CP		 341#######################################
342## <summary>
343## Interface to provide X object permissions on a given X server to
344## an X client domain. Provides the minimal set required by a basic
345## X client application.
346## </summary>
2c12b471
CP		 347## <param name="prefix">
348## <summary>
349## The prefix of the X client domain (e.g., user
350## is the prefix for user_t).
351## </summary>
352## </param>
353## <param name="domain">
354## <summary>
355## Client domain allowed access.
356## </summary>
357## </param>
358#
359template(`xserver_common_x_domain_template',`
360 gen_require(`
5242ecce
EW		 361 type root_xdrawable_t;
362 type xproperty_t, $1_xproperty_t;
2c12b471 363 type xevent_t, client_xevent_t;
5242ecce 364 type input_xevent_t, $1_input_xevent_t;
2c12b471 365
2f94f460 366 attribute x_domain, input_xevent_type;
5242ecce 367 attribute xdrawable_type, xcolormap_type;
2c12b471
CP		 368
369 class x_drawable all_x_drawable_perms;
2c12b471 370 class x_property all_x_property_perms;
2c12b471
CP		 371 class x_event all_x_event_perms;
372 class x_synthetic_event all_x_synthetic_event_perms;
3eaa9939
DW		 373 class x_client destroy;
374 class x_server manage;
375 class x_screen { saver_setattr saver_hide saver_show };
376 class x_pointer { get_property set_property manage };
377 class x_keyboard { read manage };
378 type xdm_t, xserver_t;
2c12b471
CP		 379 ')
380
381 ##############################
382 #
296273a7 383 # Local Policy
2c12b471
CP		 384 #
385
386 # Type attributes
296273a7 387 typeattribute $2 x_domain;
5242ecce 388 typeattribute $2 xdrawable_type, xcolormap_type;
2c12b471 389
296273a7 390 # X Properties
5242ecce
EW		 391 # disable property transitions for the time being.
392# type_transition $2 xproperty_t:x_property $1_xproperty_t;
2c12b471 393
296273a7
CP		 394 # X Windows
395 # new windows have the domain type
5242ecce 396 type_transition $2 root_xdrawable_t:x_drawable $2;
296273a7
CP		 397
398 # X Input
5242ecce
EW		 399 # distinguish input events
400 type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
401 # can send own events
402 allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
296273a7
CP		 403 # can receive own events
404 allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
5242ecce
EW		 405 # can receive default events
406 allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
407 allow $2 xevent_t:{ x_event x_synthetic_event } receive;
408 # dont audit send failures
409 dontaudit $2 input_xevent_type:x_event send;
3eaa9939
DW		 410
411 allow $2 xdm_t:x_drawable { hide read add_child manage };
412 allow $2 xdm_t:x_client destroy;
413
414 allow $2 root_xdrawable_t:x_drawable write;
415 allow $2 xserver_t:x_server manage;
416 allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
417 allow $2 xserver_t:x_pointer { get_property set_property manage };
418 allow $2 xserver_t:x_keyboard { read manage };
296273a7
CP		 419')
420
421#######################################
422## <summary>
423## Template for creating the set of types used
424## in an X windows domain.
425## </summary>
426## <param name="prefix">
427## <summary>
428## The prefix of the X client domain (e.g., user
429## is the prefix for user_t).
430## </summary>
431## </param>
432#
433template(`xserver_object_types_template',`
434 gen_require(`
435 attribute xproperty_type, input_xevent_type, xevent_type;
436 ')
2c12b471
CP		 437
438 ##############################
439 #
296273a7 440 # Declarations
2c12b471
CP		 441 #
442
296273a7 443 # Types for properties
5242ecce 444 type $1_xproperty_t, xproperty_type;
296273a7 445 ubac_constrained($1_xproperty_t)
2c12b471 446
296273a7
CP		 447 # Types for events
448 type $1_input_xevent_t, input_xevent_type, xevent_type;
449 ubac_constrained($1_input_xevent_t)
2c12b471
CP		 450')
451
452#######################################
453## <summary>
454## Interface to provide X object permissions on a given X server to
455## an X client domain. Provides the minimal set required by a basic
456## X client application.
457## </summary>
2c12b471
CP		 458## <param name="prefix">
459## <summary>
460## The prefix of the X client domain (e.g., user
461## is the prefix for user_t).
462## </summary>
463## </param>
464## <param name="domain">
465## <summary>
466## Client domain allowed access.
467## </summary>
468## </param>
469## <param name="tmpfs_type">
470## <summary>
471## The type of the domain SYSV tmpfs files.
472## </summary>
473## </param>
474#
475template(`xserver_user_x_domain_template',`
476 gen_require(`
477 type xdm_t, xdm_tmp_t;
296273a7 478 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
2c12b471
CP		 479 ')
480
296273a7
CP		 481 allow $2 self:shm create_shm_perms;
482 allow $2 self:unix_dgram_socket create_socket_perms;
483 allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
2c12b471
CP		 484
485 # Read .Xauthority file
296273a7
CP		 486 allow $2 xauth_home_t:file read_file_perms;
487 allow $2 iceauth_home_t:file read_file_perms;
2c12b471
CP		 488
489 # for when /tmp/.X11-unix is created by the system
296273a7 490 allow $2 xdm_t:fd use;
59c03405 491 allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
296273a7 492 allow $2 xdm_tmp_t:dir search_dir_perms;
59c03405 493 allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
296273a7 494 dontaudit $2 xdm_t:tcp_socket { read write };
2c12b471
CP		 495
496 # Allow connections to X server.
296273a7 497 files_search_tmp($2)
2c12b471 498
296273a7 499 miscfiles_read_fonts($2)
2c12b471 500
296273a7 501 userdom_search_user_home_dirs($2)
2c12b471 502 # for .xsession-errors
296273a7 503 userdom_dontaudit_write_user_home_content_files($2)
2c12b471 504
2d102f84 505 xserver_ro_session($2, $3)
296273a7 506 xserver_use_user_fonts($2)
2c12b471 507
296273a7 508 xserver_read_xdm_tmp_files($2)
3eaa9939 509 xserver_read_xdm_pid($2)
2c12b471
CP		 510
511 # X object manager
296273a7 512 xserver_object_types_template($1)
2d102f84 513 xserver_common_x_domain_template($1, $2)
2c12b471
CP		 514
515 # Client write xserver shm
516 tunable_policy(`allow_write_xshm',`
296273a7
CP		 517 allow $2 xserver_t:shm rw_shm_perms;
518 allow $2 xserver_tmpfs_t:file rw_file_perms;
2c12b471 519 ')
60d27bf8
DG		 520
521 tunable_policy(`user_direct_dri',`
522 dev_rw_dri($2)
523 ')
2c12b471
CP		 524')
525
1786478c
CP		 526########################################
527## <summary>
528## Read user fonts, user font configuration,
529## and manage the user font cache.
530## </summary>
531## <desc>
532## <p>
533## Read user fonts, user font configuration,
534## and manage the user font cache.
535## </p>
536## <p>
537## This is a templated interface, and should only
538## be called from a per-userdomain template.
539## </p>
540## </desc>
1786478c
CP		 541## <param name="domain">
542## <summary>
543## Domain allowed access.
544## </summary>
545## </param>
546#
296273a7 547interface(`xserver_use_user_fonts',`
1786478c 548 gen_require(`
296273a7 549 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
1786478c
CP		 550 ')
551
552 # Read per user fonts
296273a7
CP		 553 allow $1 user_fonts_t:dir list_dir_perms;
554 allow $1 user_fonts_t:file read_file_perms;
dfe675b8 555 allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
1786478c
CP		 556
557 # Manipulate the global font cache
296273a7
CP		 558 manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
559 manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
1786478c
CP		 560
561 # Read per user font config
296273a7
CP		 562 allow $1 user_fonts_config_t:dir list_dir_perms;
563 allow $1 user_fonts_config_t:file read_file_perms;
1786478c 564
296273a7 565 userdom_search_user_home_dirs($1)
24a63797
CP		 566')
567
0f5d13fe 568########################################
488ec7bd 569## <summary>
296273a7 570## Transition to the Xauthority domain.
488ec7bd 571## </summary>
0f5d13fe 572## <param name="domain">
885b83ec 573## <summary>
288845a6 574## Domain allowed to transition.
885b83ec 575## </summary>
488ec7bd
CP		 576## </param>
577#
296273a7 578interface(`xserver_domtrans_xauth',`
0f5d13fe 579 gen_require(`
296273a7 580 type xauth_t, xauth_exec_t;
0f5d13fe 581 ')
488ec7bd 582
296273a7 583 domtrans_pattern($1, xauth_exec_t, xauth_t)
60d27bf8 584
2d102f84 585 ifdef(`hide_broken_symptoms',`
f79af266
DW		 586 dontaudit xauth_t $1:socket_class_set { read write };
587 ')
3eaa9939
DW		 588')
589
590########################################
591## <summary>
592## Dontaudit exec of Xauthority program.
593## </summary>
594## <param name="domain">
595## <summary>
596## Domain allowed access.
597## </summary>
598## </param>
599#
600interface(`xserver_dontaudit_exec_xauth',`
601 gen_require(`
602 type xauth_exec_t;
603 ')
604
605 dontaudit $1 xauth_exec_t:file execute;
0f5d13fe 606')
488ec7bd 607
6b19be33
CP		 608########################################
609## <summary>
296273a7 610## Create a Xauthority file in the user home directory.
6b19be33 611## </summary>
6b19be33
CP		 612## <param name="domain">
613## <summary>
614## Domain allowed access.
615## </summary>
616## </param>
617#
296273a7 618interface(`xserver_user_home_dir_filetrans_user_xauth',`
6b19be33 619 gen_require(`
296273a7 620 type xauth_home_t;
6b19be33
CP		 621 ')
622
296273a7 623 userdom_user_home_dir_filetrans($1, xauth_home_t, file)
6b19be33
CP		 624')
625
1786478c
CP		 626########################################
627## <summary>
628## Read all users fonts, user font configurations,
629## and manage all users font caches.
630## </summary>
631## <param name="domain">
632## <summary>
633## Domain allowed access.
634## </summary>
635## </param>
636#
637interface(`xserver_use_all_users_fonts',`
296273a7
CP		 638 refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
639 xserver_use_user_fonts($1)
1786478c
CP		 640')
641
4967aaa3
CP		 642########################################
643## <summary>
644## Read all users .Xauthority.
645## </summary>
646## <param name="domain">
647## <summary>
648## Domain allowed access.
649## </summary>
650## </param>
651#
296273a7 652interface(`xserver_read_user_xauth',`
4967aaa3 653 gen_require(`
296273a7 654 type xauth_home_t;
4967aaa3
CP		 655 ')
656
296273a7
CP		 657 allow $1 xauth_home_t:file read_file_perms;
658 userdom_search_user_home_dirs($1)
3eaa9939 659 xserver_read_xdm_pid($1)
4967aaa3
CP		 660')
661
413982c6
CP		 662########################################
663## <summary>
664## Set the attributes of the X windows console named pipes.
665## </summary>
666## <param name="domain">
667## <summary>
668## Domain allowed access.
669## </summary>
670## </param>
671#
672interface(`xserver_setattr_console_pipes',`
673 gen_require(`
674 type xconsole_device_t;
675 ')
676
59c03405 677 allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
413982c6
CP		 678')
679
680########################################
681## <summary>
682## Read and write the X windows console named pipe.
683## </summary>
684## <param name="domain">
685## <summary>
686## Domain allowed access.
687## </summary>
688## </param>
689#
690interface(`xserver_rw_console',`
691 gen_require(`
692 type xconsole_device_t;
693 ')
694
5f63dd12 695 allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
413982c6
CP		 696')
697
165b42d2
CP		 698########################################
699## <summary>
700## Use file descriptors for xdm.
701## </summary>
702## <param name="domain">
703## <summary>
704## Domain allowed access.
705## </summary>
706## </param>
707#
708interface(`xserver_use_xdm_fds',`
709 gen_require(`
710 type xdm_t;
711 ')
712
2d102f84 713 allow $1 xdm_t:fd use;
165b42d2
CP		 714')
715
d6d16b97
CP		 716########################################
717## <summary>
718## Do not audit attempts to inherit
719## XDM file descriptors.
720## </summary>
721## <param name="domain">
722## <summary>
723## Domain to not audit.
724## </summary>
725## </param>
726#
727interface(`xserver_dontaudit_use_xdm_fds',`
728 gen_require(`
729 type xdm_t;
730 ')
731
2d102f84 732 dontaudit $1 xdm_t:fd use;
d6d16b97
CP		 733')
734
165b42d2
CP		 735########################################
736## <summary>
737## Read and write XDM unnamed pipes.
738## </summary>
739## <param name="domain">
740## <summary>
d6d16b97 741## Domain allowed access.
165b42d2
CP		 742## </summary>
743## </param>
744#
745interface(`xserver_rw_xdm_pipes',`
746 gen_require(`
747 type xdm_t;
748 ')
749
59c03405 750 allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
165b42d2
CP		 751')
752
d6d16b97
CP		 753########################################
754## <summary>
755## Do not audit attempts to read and write
756## XDM unnamed pipes.
757## </summary>
758## <param name="domain">
759## <summary>
760## Domain to not audit.
761## </summary>
762## </param>
763#
764interface(`xserver_dontaudit_rw_xdm_pipes',`
d6d16b97
CP		 765 gen_require(`
766 type xdm_t;
767 ')
768
2d102f84 769 dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
d6d16b97
CP		 770')
771
0f5d13fe
CP		 772########################################
773## <summary>
774## Connect to XDM over a unix domain
775## stream socket.
776## </summary>
777## <param name="domain">
885b83ec 778## <summary>
0f5d13fe 779## Domain allowed access.
885b83ec 780## </summary>
0f5d13fe
CP		 781## </param>
782#
783interface(`xserver_stream_connect_xdm',`
784 gen_require(`
2f94f460 785 type xdm_t, xdm_tmp_t, xdm_var_run_t;
0f5d13fe 786 ')
488ec7bd 787
eac818f0 788 files_search_tmp($1)
f9266211 789 files_search_pids($1)
0bfccda4 790 stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
3eaa9939 791 stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
0f5d13fe 792')
488ec7bd 793
5a975c1e
CP		 794########################################
795## <summary>
796## Read xdm-writable configuration files.
797## </summary>
798## <param name="domain">
885b83ec 799## <summary>
5a975c1e 800## Domain allowed access.
885b83ec 801## </summary>
5a975c1e
CP		 802## </param>
803#
804interface(`xserver_read_xdm_rw_config',`
805 gen_require(`
806 type xdm_rw_etc_t;
807 ')
808
809 files_search_etc($1)
82d2775c 810 allow $1 xdm_rw_etc_t:file read_file_perms;
5a975c1e
CP		 811')
812
813########################################
814## <summary>
815## Set the attributes of XDM temporary directories.
816## </summary>
817## <param name="domain">
885b83ec 818## <summary>
5a975c1e 819## Domain allowed access.
885b83ec 820## </summary>
5a975c1e
CP		 821## </param>
822#
823interface(`xserver_setattr_xdm_tmp_dirs',`
824 gen_require(`
825 type xdm_tmp_t;
826 ')
827
59c03405 828 allow $1 xdm_tmp_t:dir setattr_dir_perms;
5a975c1e
CP		 829')
830
0f5d13fe
CP		 831########################################
832## <summary>
833## Create a named socket in a XDM
834## temporary directory.
835## </summary>
836## <param name="domain">
885b83ec 837## <summary>
0f5d13fe 838## Domain allowed access.
885b83ec 839## </summary>
0f5d13fe
CP		 840## </param>
841#
1815bad1 842interface(`xserver_create_xdm_tmp_sockets',`
0f5d13fe
CP		 843 gen_require(`
844 type xdm_tmp_t;
845 ')
488ec7bd 846
0f5d13fe 847 files_search_tmp($1)
c0868a7a 848 allow $1 xdm_tmp_t:dir list_dir_perms;
0bfccda4 849 create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
0f5d13fe 850')
07620c08 851
0f5d13fe
CP		 852########################################
853## <summary>
854## Read XDM pid files.
855## </summary>
856## <param name="domain">
885b83ec 857## <summary>
0f5d13fe 858## Domain allowed access.
885b83ec 859## </summary>
0f5d13fe
CP		 860## </param>
861#
862interface(`xserver_read_xdm_pid',`
863 gen_require(`
864 type xdm_var_run_t;
865 ')
488ec7bd 866
0f5d13fe 867 files_search_pids($1)
3eaa9939 868 read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
0f5d13fe 869')
488ec7bd 870
fbc0a272
CP		 871########################################
872## <summary>
ff8f0a63 873## Read XDM var lib files.
fbc0a272
CP		 874## </summary>
875## <param name="domain">
ff8f0a63
CP		 876## <summary>
877## Domain allowed access.
878## </summary>
fbc0a272
CP		 879## </param>
880#
881interface(`xserver_read_xdm_lib_files',`
882 gen_require(`
883 type xdm_var_lib_t;
884 ')
885
82d2775c 886 allow $1 xdm_var_lib_t:file read_file_perms;
fbc0a272
CP		 887')
888
0f5d13fe
CP		 889########################################
890## <summary>
891## Make an X session script an entrypoint for the specified domain.
892## </summary>
893## <param name="domain">
885b83ec 894## <summary>
0f5d13fe 895## The domain for which the shell is an entrypoint.
885b83ec 896## </summary>
0f5d13fe
CP		 897## </param>
898#
899interface(`xserver_xsession_entry_type',`
900 gen_require(`
901 type xsession_exec_t;
902 ')
488ec7bd 903
0bfccda4 904 domain_entry_file($1, xsession_exec_t)
488ec7bd 905')
3b311307
CP		 906
907########################################
908## <summary>
0f5d13fe
CP		 909## Execute an X session in the target domain. This
910## is an explicit transition, requiring the
911## caller to use setexeccon().
3b311307
CP		 912## </summary>
913## <desc>
914## <p>
0f5d13fe
CP		 915## Execute an Xsession in the target domain. This
916## is an explicit transition, requiring the
917## caller to use setexeccon().
3b311307
CP		 918## </p>
919## <p>
0f5d13fe
CP		 920## No interprocess communication (signals, pipes,
921## etc.) is provided by this interface since
922## the domains are not owned by this module.
3b311307
CP		 923## </p>
924## </desc>
3b311307 925## <param name="domain">
885b83ec 926## <summary>
288845a6 927## Domain allowed to transition.
885b83ec 928## </summary>
3b311307 929## </param>
0f5d13fe 930## <param name="target_domain">
885b83ec 931## <summary>
0f5d13fe 932## The type of the shell process.
885b83ec 933## </summary>
0f5d13fe 934## </param>
3b311307 935#
0f5d13fe 936interface(`xserver_xsession_spec_domtrans',`
3b311307 937 gen_require(`
0f5d13fe 938 type xsession_exec_t;
3b311307
CP		 939 ')
940
0bfccda4 941 domain_trans($1, xsession_exec_t, $2)
3b311307
CP		 942')
943
3b914745
CP		 944########################################
945## <summary>
946## Get the attributes of X server logs.
947## </summary>
948## <param name="domain">
949## <summary>
950## Domain allowed access.
951## </summary>
952## </param>
953#
954interface(`xserver_getattr_log',`
955 gen_require(`
956 type xserver_log_t;
957 ')
958
959 logging_search_logs($1)
59c03405 960 allow $1 xserver_log_t:file getattr_file_perms;
3b914745
CP		 961')
962
3b311307
CP		 963########################################
964## <summary>
0f5d13fe
CP		 965## Do not audit attempts to write the X server
966## log files.
3b311307
CP		 967## </summary>
968## <param name="domain">
885b83ec 969## <summary>
a7ee7f81 970## Domain to not audit.
885b83ec 971## </summary>
3b311307
CP		 972## </param>
973#
0f5d13fe 974interface(`xserver_dontaudit_write_log',`
3b311307 975 gen_require(`
0f5d13fe 976 type xserver_log_t;
3b311307
CP		 977 ')
978
3eaa9939 979 dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
3b311307 980')
5a975c1e
CP		 981
982########################################
983## <summary>
a7ee7f81 984## Delete X server log files.
5a975c1e
CP		 985## </summary>
986## <param name="domain">
885b83ec 987## <summary>
a7ee7f81 988## Domain allowed access.
885b83ec 989## </summary>
5a975c1e
CP		 990## </param>
991#
992interface(`xserver_delete_log',`
993 gen_require(`
994 type xserver_log_t;
995 ')
996
997 logging_search_logs($1)
c0868a7a 998 allow $1 xserver_log_t:dir list_dir_perms;
0bfccda4
CP		 999 delete_files_pattern($1, xserver_log_t, xserver_log_t)
1000 delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
5a975c1e 1001')
c8d5b357
CP		 1002
1003########################################
1004## <summary>
1005## Read X keyboard extension libraries.
1006## </summary>
1007## <param name="domain">
1008## <summary>
a7ee7f81 1009## Domain allowed access.
c8d5b357
CP		 1010## </summary>
1011## </param>
1012#
1013interface(`xserver_read_xkb_libs',`
1014 gen_require(`
1015 type xkb_var_lib_t;
1016 ')
1017
1018 files_search_var_lib($1)
1019 allow $1 xkb_var_lib_t:dir list_dir_perms;
0bfccda4
CP		 1020 read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
1021 read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
c8d5b357
CP		 1022')
1023
3eaa9939
DW		 1024########################################
1025## <summary>
1026## Read xdm config files.
1027## </summary>
1028## <param name="domain">
1029## <summary>
1030## Domain to not audit
1031## </summary>
1032## </param>
1033#
1034interface(`xserver_read_xdm_etc_files',`
1035 gen_require(`
1036 type xdm_etc_t;
1037 ')
1038
2d102f84 1039 files_search_etc($1)
3eaa9939
DW		 1040 read_files_pattern($1, xdm_etc_t, xdm_etc_t)
1041')
1042
1043########################################
1044## <summary>
1045## Manage xdm config files.
1046## </summary>
1047## <param name="domain">
1048## <summary>
1049## Domain to not audit
1050## </summary>
1051## </param>
1052#
1053interface(`xserver_manage_xdm_etc_files',`
1054 gen_require(`
1055 type xdm_etc_t;
1056 ')
1057
2d102f84 1058 files_search_etc($1)
3eaa9939
DW		 1059 manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
1060')
1061
eac818f0
CP		 1062########################################
1063## <summary>
1064## Read xdm temporary files.
1065## </summary>
1066## <param name="domain">
1067## <summary>
a7ee7f81 1068## Domain allowed access.
eac818f0
CP		 1069## </summary>
1070## </param>
1071#
1072interface(`xserver_read_xdm_tmp_files',`
1073 gen_require(`
1074 type xdm_tmp_t;
1075 ')
1076
2d102f84 1077 files_search_tmp($1)
0bfccda4 1078 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
eac818f0
CP		 1079')
1080
6b19be33
CP		 1081########################################
1082## <summary>
1083## Do not audit attempts to read xdm temporary files.
1084## </summary>
1085## <param name="domain">
1086## <summary>
a7ee7f81 1087## Domain to not audit.
6b19be33
CP		 1088## </summary>
1089## </param>
1090#
1091interface(`xserver_dontaudit_read_xdm_tmp_files',`
1092 gen_require(`
1093 type xdm_tmp_t;
1094 ')
1095
1096 dontaudit $1 xdm_tmp_t:dir search_dir_perms;
ef659a47 1097 dontaudit $1 xdm_tmp_t:file read_file_perms;
6b19be33
CP		 1098')
1099
1100########################################
1101## <summary>
1102## Read write xdm temporary files.
1103## </summary>
1104## <param name="domain">
1105## <summary>
a7ee7f81 1106## Domain allowed access.
6b19be33
CP		 1107## </summary>
1108## </param>
1109#
1110interface(`xserver_rw_xdm_tmp_files',`
1111 gen_require(`
1112 type xdm_tmp_t;
1113 ')
1114
1115 allow $1 xdm_tmp_t:dir search_dir_perms;
1116 allow $1 xdm_tmp_t:file rw_file_perms;
1117')
1118
1119########################################
1120## <summary>
1121## Create, read, write, and delete xdm temporary files.
1122## </summary>
1123## <param name="domain">
1124## <summary>
a7ee7f81 1125## Domain allowed access.
6b19be33
CP		 1126## </summary>
1127## </param>
1128#
1129interface(`xserver_manage_xdm_tmp_files',`
1130 gen_require(`
1131 type xdm_tmp_t;
1132 ')
1133
0bfccda4 1134 manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
6b19be33
CP		 1135')
1136
1137########################################
1138## <summary>
a7ee7f81
CP		 1139## Do not audit attempts to get the attributes of
1140## xdm temporary named sockets.
6b19be33
CP		 1141## </summary>
1142## <param name="domain">
1143## <summary>
a7ee7f81 1144## Domain to not audit.
6b19be33
CP		 1145## </summary>
1146## </param>
1147#
1148interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
1149 gen_require(`
1150 type xdm_tmp_t;
1151 ')
1152
59c03405 1153 dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
6b19be33
CP		 1154')
1155
75beb950
CP		 1156########################################
1157## <summary>
296273a7
CP		 1158## Execute the X server in the X server domain.
1159## </summary>
1160## <param name="domain">
1161## <summary>
288845a6 1162## Domain allowed to transition.
296273a7
CP		 1163## </summary>
1164## </param>
1165#
1166interface(`xserver_domtrans',`
1167 gen_require(`
1168 type xserver_t, xserver_exec_t;
1169 ')
1170
2d102f84 1171 allow $1 xserver_t:process siginh;
296273a7 1172 domtrans_pattern($1, xserver_exec_t, xserver_t)
c6fa935f
DW		 1173
1174 allow xserver_t $1:process getpgid;
296273a7
CP		 1175')
1176
1177########################################
1178## <summary>
1179## Signal X servers
75beb950
CP		 1180## </summary>
1181## <param name="domain">
1182## <summary>
a7ee7f81 1183## Domain allowed access.
75beb950
CP		 1184## </summary>
1185## </param>
1186#
296273a7 1187interface(`xserver_signal',`
75beb950 1188 gen_require(`
296273a7 1189 type xserver_t;
75beb950
CP		 1190 ')
1191
296273a7 1192 allow $1 xserver_t:process signal;
75beb950
CP		 1193')
1194
c8d5b357
CP		 1195########################################
1196## <summary>
296273a7 1197## Kill X servers
c8d5b357
CP		 1198## </summary>
1199## <param name="domain">
1200## <summary>
a7ee7f81 1201## Domain allowed access.
c8d5b357
CP		 1202## </summary>
1203## </param>
1204#
296273a7
CP		 1205interface(`xserver_kill',`
1206 gen_require(`
1207 type xserver_t;
1208 ')
1209
1210 allow $1 xserver_t:process sigkill;
1211')
1212
1213########################################
1214## <summary>
1215## Read and write X server Sys V Shared
1216## memory segments.
1217## </summary>
1218## <param name="domain">
1219## <summary>
1220## Domain allowed access.
1221## </summary>
1222## </param>
1223#
1224interface(`xserver_rw_shm',`
c8d5b357 1225 gen_require(`
296273a7 1226 type xserver_t;
c8d5b357
CP		 1227 ')
1228
296273a7 1229 allow $1 xserver_t:shm rw_shm_perms;
c8d5b357
CP		 1230')
1231
1232########################################
1233## <summary>
1234## Do not audit attempts to read and write to
296273a7 1235## X server sockets.
c8d5b357
CP		 1236## </summary>
1237## <param name="domain">
1238## <summary>
a7ee7f81 1239## Domain to not audit.
c8d5b357
CP		 1240## </summary>
1241## </param>
1242#
296273a7 1243interface(`xserver_dontaudit_rw_tcp_sockets',`
c8d5b357 1244 gen_require(`
296273a7 1245 type xserver_t;
c8d5b357
CP		 1246 ')
1247
296273a7 1248 dontaudit $1 xserver_t:tcp_socket { read write };
c8d5b357 1249')
522b59bb 1250
6b19be33
CP		 1251########################################
1252## <summary>
296273a7 1253## Do not audit attempts to read and write X server
6b19be33
CP		 1254## unix domain stream sockets.
1255## </summary>
1256## <param name="domain">
1257## <summary>
288845a6 1258## Domain to not audit.
6b19be33
CP		 1259## </summary>
1260## </param>
1261#
296273a7 1262interface(`xserver_dontaudit_rw_stream_sockets',`
6b19be33 1263 gen_require(`
296273a7 1264 type xserver_t;
6b19be33
CP		 1265 ')
1266
296273a7 1267 dontaudit $1 xserver_t:unix_stream_socket { read write };
6b19be33
CP		 1268')
1269
522b59bb
CP		 1270########################################
1271## <summary>
296273a7 1272## Connect to the X server over a unix domain
522b59bb
CP		 1273## stream socket.
1274## </summary>
1275## <param name="domain">
1276## <summary>
1277## Domain allowed access.
1278## </summary>
1279## </param>
1280#
f79af266 1281interface(`xserver_stream_connect',`
522b59bb 1282 gen_require(`
296273a7 1283 type xserver_t, xserver_tmp_t;
522b59bb
CP		 1284 ')
1285
1286 files_search_tmp($1)
296273a7 1287 stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
0745e425 1288 allow xserver_t $1:shm rw_shm_perms;
522b59bb 1289')
2c12b471 1290
21ea2b18
CP		 1291########################################
1292## <summary>
296273a7 1293## Read X server temporary files.
21ea2b18
CP		 1294## </summary>
1295## <param name="domain">
1296## <summary>
a7ee7f81 1297## Domain allowed access.
21ea2b18
CP		 1298## </summary>
1299## </param>
1300#
296273a7 1301interface(`xserver_read_tmp_files',`
21ea2b18 1302 gen_require(`
296273a7 1303 type xserver_tmp_t;
21ea2b18
CP		 1304 ')
1305
296273a7
CP		 1306 allow $1 xserver_tmp_t:file read_file_perms;
1307 files_search_tmp($1)
21ea2b18
CP		 1308')
1309
5242ecce
EW		 1310########################################
1311## <summary>
1312## Interface to provide X object permissions on a given X server to
1313## an X client domain. Gives the domain permission to read the
2d102f84 1314## virtual core keyboard and virtual core pointer devices.
5242ecce
EW		 1315## </summary>
1316## <param name="domain">
1317## <summary>
1318## Domain allowed access.
1319## </summary>
1320## </param>
1321#
1322interface(`xserver_manage_core_devices',`
1323 gen_require(`
2f94f460 1324 type xserver_t, root_xdrawable_t;
5242ecce
EW		 1325 class x_device all_x_device_perms;
1326 class x_pointer all_x_pointer_perms;
1327 class x_keyboard all_x_keyboard_perms;
3eaa9939
DW		 1328 class x_screen all_x_screen_perms;
1329 class x_drawable { manage };
3eaa9939
DW		 1330 attribute x_domain;
1331 class x_drawable { read manage setattr show };
1332 class x_resource { write read };
5242ecce
EW		 1333 ')
1334
1335 allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
3eaa9939
DW		 1336 allow $1 xserver_t:{ x_screen } setattr;
1337
1338 allow $1 x_domain:x_drawable { read manage setattr show };
1339 allow $1 x_domain:x_resource { write read };
1340 allow $1 root_xdrawable_t:x_drawable { manage read };
5242ecce
EW		 1341')
1342
2c12b471
CP		 1343########################################
1344## <summary>
1345## Interface to provide X object permissions on a given X server to
1346## an X client domain. Gives the domain complete control over the
1347## display.
1348## </summary>
1349## <param name="domain">
1350## <summary>
1351## Domain allowed access.
1352## </summary>
1353## </param>
1354#
1355interface(`xserver_unconfined',`
1356 gen_require(`
2f94f460 1357 attribute x_domain, xserver_unconfined_type;
2c12b471
CP		 1358 ')
1359
5242ecce 1360 typeattribute $1 x_domain;
2c12b471
CP		 1361 typeattribute $1 xserver_unconfined_type;
1362')
3eaa9939
DW		 1363
1364########################################
1365## <summary>
1366## Dontaudit append to .xsession-errors file
1367## </summary>
1368## <param name="domain">
1369## <summary>
1370## Domain to not audit
1371## </summary>
1372## </param>
1373#
1374interface(`xserver_dontaudit_append_xdm_home_files',`
1375 gen_require(`
2f94f460 1376 type xdm_home_t, xserver_tmp_t;
3eaa9939
DW		 1377 ')
1378
1379 dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
1380 dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
1381
1382 tunable_policy(`use_nfs_home_dirs',`
1383 fs_dontaudit_rw_nfs_files($1)
1384 ')
1385
1386 tunable_policy(`use_samba_home_dirs',`
1387 fs_dontaudit_rw_cifs_files($1)
1388 ')
1389')
1390
1391########################################
1392## <summary>
1393## append to .xsession-errors file
1394## </summary>
1395## <param name="domain">
1396## <summary>
1397## Domain to not audit
1398## </summary>
1399## </param>
1400#
1401interface(`xserver_append_xdm_home_files',`
1402 gen_require(`
2f94f460 1403 type xdm_home_t, xserver_tmp_t;
3eaa9939
DW		 1404 ')
1405
1406 allow $1 xdm_home_t:file append_file_perms;
1407 allow $1 xserver_tmp_t:file append_file_perms;
1408
1409 tunable_policy(`use_nfs_home_dirs',`
1410 fs_append_nfs_files($1)
1411 ')
1412
1413 tunable_policy(`use_samba_home_dirs',`
1414 fs_append_cifs_files($1)
1415 ')
1416')
1417
1418########################################
1419## <summary>
1420## Manage the xdm_spool files
1421## </summary>
1422## <param name="domain">
1423## <summary>
1424## Domain allowed access.
1425## </summary>
1426## </param>
1427#
1428interface(`xserver_xdm_manage_spool',`
1429 gen_require(`
1430 type xdm_spool_t;
1431 ')
1432
1433 files_search_spool($1)
1434 manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
1435')
1436
1437########################################
1438## <summary>
1439## Send and receive messages from
1440## xdm over dbus.
1441## </summary>
1442## <param name="domain">
1443## <summary>
1444## Domain allowed access.
1445## </summary>
1446## </param>
1447#
1448interface(`xserver_dbus_chat_xdm',`
1449 gen_require(`
1450 type xdm_t;
1451 class dbus send_msg;
1452 ')
1453
1454 allow $1 xdm_t:dbus send_msg;
1455 allow xdm_t $1:dbus send_msg;
1456')
1457
1458########################################
1459## <summary>
1460## Read xserver files created in /var/run
1461## </summary>
1462## <param name="domain">
1463## <summary>
1464## Domain allowed access.
1465## </summary>
1466## </param>
1467#
1468interface(`xserver_read_pid',`
1469 gen_require(`
1470 type xserver_var_run_t;
1471 ')
1472
1473 files_search_pids($1)
1474 read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1475')
1476
1477########################################
1478## <summary>
1479## Execute xserver files created in /var/run
1480## </summary>
1481## <param name="domain">
1482## <summary>
1483## Domain allowed access.
1484## </summary>
1485## </param>
1486#
1487interface(`xserver_exec_pid',`
1488 gen_require(`
1489 type xserver_var_run_t;
1490 ')
1491
1492 files_search_pids($1)
1493 exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1494')
1495
1496########################################
1497## <summary>
1498## Write xserver files created in /var/run
1499## </summary>
1500## <param name="domain">
1501## <summary>
1502## Domain allowed access.
1503## </summary>
1504## </param>
1505#
1506interface(`xserver_write_pid',`
1507 gen_require(`
1508 type xserver_var_run_t;
1509 ')
1510
1511 files_search_pids($1)
1512 write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1513')
1514
1515########################################
1516## <summary>
1517## Allow append the xdm
1518## log files.
1519## </summary>
1520## <param name="domain">
1521## <summary>
1522## Domain to not audit
1523## </summary>
1524## </param>
1525#
1526interface(`xserver_xdm_append_log',`
1527 gen_require(`
1528 type xdm_log_t;
1529 attribute xdmhomewriter;
1530 ')
1531
1532 typeattribute $1 xdmhomewriter;
1533 append_files_pattern($1, xdm_log_t, xdm_log_t)
1534')
1535
1536########################################
1537## <summary>
1538## Read a user Iceauthority domain.
1539## </summary>
1540## <param name="domain">
1541## <summary>
1542## Domain allowed access.
1543## </summary>
1544## </param>
1545#
1546template(`xserver_read_user_iceauth',`
1547 gen_require(`
1548 type iceauth_home_t;
1549 ')
1550
1551 # Read .Iceauthority file
1552 allow $1 iceauth_home_t:file read_file_perms;
1553')
1554
1555########################################
1556## <summary>
1557## Read user homedir fonts.
1558## </summary>
1559## <param name="domain">
1560## <summary>
1561## Domain allowed access.
1562## </summary>
1563## </param>
3eaa9939
DW		 1564#
1565interface(`xserver_rw_inherited_user_fonts',`
1566 gen_require(`
2f94f460 1567 type user_fonts_t, user_fonts_config_t;
3eaa9939
DW		 1568 ')
1569
1570 allow $1 user_fonts_t:file rw_inherited_file_perms;
1571 allow $1 user_fonts_t:file read_lnk_file_perms;
1572
1573 allow $1 user_fonts_config_t:file rw_inherited_file_perms;
1574')
1575
1576########################################
1577## <summary>
1578## Search XDM var lib dirs.
1579## </summary>
1580## <param name="domain">
1581## <summary>
1582## Domain allowed access.
1583## </summary>
1584## </param>
1585#
1586interface(`xserver_search_xdm_lib',`
1587 gen_require(`
1588 type xdm_var_lib_t;
1589 ')
1590
1591 allow $1 xdm_var_lib_t:dir search_dir_perms;
1592')
1593
3eaa9939
DW		 1594########################################
1595## <summary>
1596## Make an X executable an entrypoint for the specified domain.
1597## </summary>
1598## <param name="domain">
1599## <summary>
1600## The domain for which the shell is an entrypoint.
1601## </summary>
1602## </param>
1603#
1604interface(`xserver_entry_type',`
1605 gen_require(`
1606 type xserver_exec_t;
1607 ')
1608
1609 domain_entry_file($1, xserver_exec_t)
1610')
1611
1612########################################
1613## <summary>
1614## Execute xsever in the xserver domain, and
1615## allow the specified role the xserver domain.
1616## </summary>
1617## <param name="domain">
1618## <summary>
1619## Domain allowed access.
1620## </summary>
1621## </param>
1622## <param name="role">
1623## <summary>
1624## The role to be allowed the xserver domain.
1625## </summary>
1626## </param>
9c9e4c81 1627## <rolecap/>
3eaa9939
DW		 1628#
1629interface(`xserver_run',`
1630 gen_require(`
1631 type xserver_t;
1632 ')
1633
1634 xserver_domtrans($1)
1635 role $2 types xserver_t;
1636')
1637
1638########################################
1639## <summary>
1640## Execute xsever in the xserver domain, and
1641## allow the specified role the xserver domain.
1642## </summary>
1643## <param name="domain">
1644## <summary>
1645## Domain allowed access.
1646## </summary>
1647## </param>
1648## <param name="role">
1649## <summary>
1650## The role to be allowed the xserver domain.
1651## </summary>
1652## </param>
9c9e4c81 1653## <rolecap/>
3eaa9939
DW		 1654#
1655interface(`xserver_run_xauth',`
1656 gen_require(`
1657 type xauth_t;
1658 ')
1659
1660 xserver_domtrans_xauth($1)
1661 role $2 types xauth_t;
1662')
1663########################################
1664## <summary>
1665## Read user homedir fonts.
1666## </summary>
1667## <param name="domain">
1668## <summary>
1669## Domain allowed access.
1670## </summary>
1671## </param>
1672## <rolecap/>
1673#
1674interface(`xserver_manage_home_fonts',`
1675 gen_require(`
2f94f460 1676 type user_fonts_t, user_fonts_config_t;
3eaa9939
DW		 1677 ')
1678
1679 manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
1680 manage_files_pattern($1, user_fonts_t, user_fonts_t)
1681 manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
1682
1683 manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
1684')
The IPFire selinux policy.