[people/stevee/selinux-policy.git] / policy / modules / system / authlogin.te


policy_module(authlogin,1.3.14)

########################################
#
# Declarations
#

attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;

type chkpwd_exec_t;
files_type(chkpwd_exec_t)

type faillog_t;
logging_log_file(faillog_t)

type lastlog_t;
logging_log_file(lastlog_t)

# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
	type login_exec_t;
')
files_type(login_exec_t)

type pam_console_t;
type pam_console_exec_t;
init_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t;

type pam_t;
domain_type(pam_t)
role system_r types pam_t;

type pam_exec_t;
domain_entry_file(pam_t,pam_exec_t)

type pam_tmp_t;
files_tmp_file(pam_tmp_t)

type pam_var_console_t;
files_type(pam_var_console_t)

type pam_var_run_t;
files_pid_file(pam_var_run_t)

type shadow_t;
files_security_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;

type utempter_t;
domain_type(utempter_t)

type utempter_exec_t;
domain_entry_file(utempter_t,utempter_exec_t)

#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)

type wtmp_t;
logging_log_file(wtmp_t)

# reorder to work around require-then-decare bug
authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;

########################################
#
# PAM local policy
#

allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
dontaudit pam_t self:capability sys_tty_config;

allow pam_t self:fd use;
allow pam_t self:fifo_file rw_file_perms;
allow pam_t self:unix_dgram_socket create_socket_perms; 
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
allow pam_t self:unix_dgram_socket sendto;
allow pam_t self:unix_stream_socket connectto;
allow pam_t self:shm create_shm_perms;
allow pam_t self:sem create_sem_perms;
allow pam_t self:msgq create_msgq_perms;
allow pam_t self:msg { send receive };

allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
allow pam_t pam_var_run_t:file { getattr read unlink };
files_list_pids(pam_t)

allow pam_t pam_tmp_t:dir manage_dir_perms;
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })

kernel_read_system_state(pam_t)

fs_search_auto_mountpoints(pam_t)

term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)

init_dontaudit_rw_utmp(pam_t)

files_read_etc_files(pam_t)

libs_use_ld_so(pam_t)
libs_use_shared_libs(pam_t)

logging_send_syslog_msg(pam_t)

userdom_use_unpriv_users_fds(pam_t)

optional_policy(`
	locallogin_use_fds(pam_t)
')

optional_policy(`
	nis_use_ypbind(pam_t)
')

optional_policy(`
	nscd_socket_use(pam_t)
')

########################################
#
# PAM console local policy
#

allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;

allow pam_console_t self:process { sigchld sigkill sigstop signull signal };

# for /var/run/console.lock checking
allow pam_console_t pam_var_console_t:dir list_dir_perms;
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
allow pam_console_t pam_var_console_t:file r_file_perms;
dontaudit pam_console_t pam_var_console_t:file write;

kernel_read_kernel_sysctls(pam_console_t)
kernel_use_fds(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)

dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
dev_setattr_generic_usb_dev(pam_console_t)
dev_getattr_misc_dev(pam_console_t)
dev_setattr_misc_dev(pam_console_t)
dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
dev_setattr_sound_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)

fs_list_auto_mountpoints(pam_console_t)

mls_file_read_up(pam_console_t)
mls_file_write_down(pam_console_t)

storage_getattr_fixed_disk_dev(pam_console_t)
storage_setattr_fixed_disk_dev(pam_console_t)
storage_getattr_removable_dev(pam_console_t)
storage_setattr_removable_dev(pam_console_t)
storage_getattr_scsi_generic_dev(pam_console_t)
storage_setattr_scsi_generic_dev(pam_console_t)

term_use_console(pam_console_t)
term_use_all_user_ttys(pam_console_t)
term_use_all_user_ptys(pam_console_t)
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
term_use_unallocated_ttys(pam_console_t)

auth_use_nsswitch(pam_console_t)

domain_use_interactive_fds(pam_console_t)

files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)

init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)

libs_use_ld_so(pam_console_t)
libs_use_shared_libs(pam_console_t)

logging_send_syslog_msg(pam_console_t)

miscfiles_read_localization(pam_console_t)
miscfiles_read_certs(pam_console_t)

seutil_read_file_contexts(pam_console_t)

userdom_dontaudit_use_unpriv_user_fds(pam_console_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(pam_console_t)
	term_dontaudit_use_generic_ptys(pam_console_t)
	files_dontaudit_read_root_files(pam_console_t)
')

optional_policy(`
	gpm_getattr_gpmctl(pam_console_t)
	gpm_setattr_gpmctl(pam_console_t)
')

optional_policy(`
	hotplug_use_fds(pam_console_t)
	hotplug_dontaudit_search_config(pam_console_t)
')

optional_policy(`
	seutil_sigchld_newrole(pam_console_t)
')

optional_policy(`
	udev_read_db(pam_console_t)
')

optional_policy(`
	xserver_read_xdm_pid(pam_console_t)
')

########################################
#
# System check password local policy
#

allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

allow system_chkpwd_t shadow_t:file { getattr read };

corecmd_search_sbin(system_chkpwd_t)

domain_dontaudit_use_interactive_fds(system_chkpwd_t)

term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
term_dontaudit_use_generic_ptys(system_chkpwd_t)

userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)

########################################
#
# Utempter local policy
#

allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket create_stream_socket_perms;

allow utempter_t wtmp_t:file rw_file_perms;

dev_read_urand(utempter_t)

term_getattr_all_user_ttys(utempter_t)
term_getattr_all_user_ptys(utempter_t)
term_dontaudit_use_all_user_ttys(utempter_t)
term_dontaudit_use_all_user_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)

init_rw_utmp(utempter_t)

files_read_etc_files(utempter_t)

domain_use_interactive_fds(utempter_t)

libs_use_ld_so(utempter_t)
libs_use_shared_libs(utempter_t)

logging_search_logs(utempter_t)

# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_users_tmp_files(utempter_t)

optional_policy(`
	nscd_socket_use(utempter_t)
')

optional_policy(`
	xserver_use_xdm_fds(utempter_t)
	xserver_rw_xdm_pipes(utempter_t)
')
Commit	Line	Data
e181fe05	1
75beb950	2	policy_module(authlogin,1.3.14)
960373dd	3
3ba13bbf CP	4	########################################
	5	#
	6	# Declarations
	7	#
7bba9d31 CP	8
	9	attribute can_read_shadow_passwords;
	10	attribute can_write_shadow_passwords;
	11	attribute can_relabelto_shadow_passwords;
	12
3ba13bbf	13	type chkpwd_exec_t;
8fd36732	14	files_type(chkpwd_exec_t)
3ba13bbf CP	15
3ba13bbf CP	16	type faillog_t;
c9428d33	17	logging_log_file(faillog_t)
3ba13bbf	18
b4cd1533	19	type lastlog_t;
c9428d33	20	logging_log_file(lastlog_t)
b4cd1533	21
77f6e2cd CP	22	# real declaration moved to mls until
	23	# range_transition works in loadable modules
	24	gen_require(`
	25	type login_exec_t;
	26	')
8fd36732	27	files_type(login_exec_t)
3ba13bbf	28
f0574fa9	29	type pam_console_t;
07d6e32f	30	type pam_console_exec_t;
c9428d33	31	init_system_domain(pam_console_t,pam_console_exec_t)
75a10baf CP	32	role system_r types pam_console_t;
75a10baf CP	33
493d6c4a	34	type pam_t;
c9428d33	35	domain_type(pam_t)
3ce6cb4a	36	role system_r types pam_t;
3ba13bbf	37
07d6e32f	38	type pam_exec_t;
c9428d33	39	domain_entry_file(pam_t,pam_exec_t)
07d6e32f	40
3ba13bbf	41	type pam_tmp_t;
c9428d33	42	files_tmp_file(pam_tmp_t)
3ba13bbf	43
493d6c4a	44	type pam_var_console_t;
8fd36732	45	files_type(pam_var_console_t)
3ba13bbf CP	46
3ba13bbf CP	47	type pam_var_run_t;
c9428d33	48	files_pid_file(pam_var_run_t)
3ba13bbf CP	49
3ba13bbf CP	50	type shadow_t;
6f11d6b8	51	files_security_file(shadow_t)
3ba13bbf	52	neverallow ~can_read_shadow_passwords shadow_t:file read;
a1f94a34 CP	53	neverallow ~can_write_shadow_passwords shadow_t:file { create write };
a1f94a34 CP	54	neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
3ba13bbf	55
493d6c4a	56	type utempter_t;
c9428d33	57	domain_type(utempter_t)
3ba13bbf CP	58
3ba13bbf CP	59	type utempter_exec_t;
c9428d33	60	domain_entry_file(utempter_t,utempter_exec_t)
3ba13bbf	61
7b062eac CP	62	#
	63	# var_auth_t is the type of /var/lib/auth, usually
	64	# used for auth data in pam_able
	65	#
	66	type var_auth_t;
	67	files_type(var_auth_t)
	68
b4cd1533	69	type wtmp_t;
c9428d33	70	logging_log_file(wtmp_t)
3ba13bbf	71
5b4ff3a1 CP	72	# reorder to work around require-then-decare bug
	73	authlogin_common_auth_domain_template(system)
	74	role system_r types system_chkpwd_t;
	75
3ba13bbf CP	76	########################################
3ba13bbf CP	77	#
3ce6cb4a	78	# PAM local policy
3ba13bbf	79	#
3ce6cb4a	80
9d3bdc25	81	allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
3ce6cb4a CP	82	dontaudit pam_t self:capability sys_tty_config;
	83
	84	allow pam_t self:fd use;
dd822947 CP	85	allow pam_t self:fifo_file rw_file_perms;
	86	allow pam_t self:unix_dgram_socket create_socket_perms;
	87	allow pam_t self:unix_stream_socket rw_stream_socket_perms;
3ce6cb4a CP	88	allow pam_t self:unix_dgram_socket sendto;
3ce6cb4a CP	89	allow pam_t self:unix_stream_socket connectto;
dd822947 CP	90	allow pam_t self:shm create_shm_perms;
	91	allow pam_t self:sem create_sem_perms;
	92	allow pam_t self:msgq create_msgq_perms;
3ce6cb4a CP	93	allow pam_t self:msg { send receive };
	94
	95	allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
	96	allow pam_t pam_var_run_t:file { getattr read unlink };
ba1a545f	97	files_list_pids(pam_t)
3ce6cb4a	98
ba1a545f CP	99	allow pam_t pam_tmp_t:dir manage_dir_perms;
ba1a545f CP	100	allow pam_t pam_tmp_t:file manage_file_perms;
103fe280	101	files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
3ce6cb4a CP	102
	103	kernel_read_system_state(pam_t)
	104
ab940a4c CP	105	fs_search_auto_mountpoints(pam_t)
ab940a4c CP	106
0fd9dc55 CP	107	term_use_all_user_ttys(pam_t)
0fd9dc55 CP	108	term_use_all_user_ptys(pam_t)
3ce6cb4a	109
68228b33	110	init_dontaudit_rw_utmp(pam_t)
3ce6cb4a	111
8fd36732	112	files_read_etc_files(pam_t)
3ce6cb4a	113
c9428d33 CP	114	libs_use_ld_so(pam_t)
c9428d33 CP	115	libs_use_shared_libs(pam_t)
3ce6cb4a	116
c9428d33	117	logging_send_syslog_msg(pam_t)
3ce6cb4a	118
103fe280	119	userdom_use_unpriv_users_fds(pam_t)
dc771ff4	120
bb7170f6	121	optional_policy(`
1c1ac67f	122	locallogin_use_fds(pam_t)
3ce6cb4a CP	123	')
3ce6cb4a CP	124
bb7170f6	125	optional_policy(`
ab940a4c	126	nis_use_ypbind(pam_t)
3ce6cb4a CP	127	')
3ce6cb4a CP	128
bb7170f6	129	optional_policy(`
1815bad1	130	nscd_socket_use(pam_t)
493d6c4a CP	131	')
493d6c4a CP	132
75a10baf CP	133	########################################
	134	#
	135	# PAM console local policy
	136	#
	137
	138	allow pam_console_t self:capability { chown fowner fsetid };
	139	dontaudit pam_console_t self:capability sys_tty_config;
	140
	141	allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
	142
	143	# for /var/run/console.lock checking
ba1a545f CP	144	allow pam_console_t pam_var_console_t:dir list_dir_perms;
ba1a545f CP	145	allow pam_console_t pam_var_console_t:lnk_file { getattr read };
dd822947	146	allow pam_console_t pam_var_console_t:file r_file_perms;
77f6e2cd	147	dontaudit pam_console_t pam_var_console_t:file write;
75a10baf	148
445522dc	149	kernel_read_kernel_sysctls(pam_console_t)
1c1ac67f	150	kernel_use_fds(pam_console_t)
0907bda1 CP	151	# Read /proc/meminfo
0907bda1 CP	152	kernel_read_system_state(pam_console_t)
75a10baf	153
d35c621e	154	dev_read_sysfs(pam_console_t)
207c4763 CP	155	dev_getattr_apm_bios_dev(pam_console_t)
207c4763 CP	156	dev_setattr_apm_bios_dev(pam_console_t)
02bcb8b3 CP	157	dev_getattr_dri_dev(pam_console_t)
02bcb8b3 CP	158	dev_setattr_dri_dev(pam_console_t)
207c4763 CP	159	dev_getattr_framebuffer_dev(pam_console_t)
207c4763 CP	160	dev_setattr_framebuffer_dev(pam_console_t)
72492557 CP	161	dev_getattr_generic_usb_dev(pam_console_t)
72492557 CP	162	dev_setattr_generic_usb_dev(pam_console_t)
207c4763 CP	163	dev_getattr_misc_dev(pam_console_t)
	164	dev_setattr_misc_dev(pam_console_t)
	165	dev_getattr_mouse_dev(pam_console_t)
	166	dev_setattr_mouse_dev(pam_console_t)
	167	dev_getattr_power_mgmt_dev(pam_console_t)
	168	dev_setattr_power_mgmt_dev(pam_console_t)
	169	dev_getattr_scanner_dev(pam_console_t)
	170	dev_setattr_scanner_dev(pam_console_t)
	171	dev_getattr_sound_dev(pam_console_t)
	172	dev_setattr_sound_dev(pam_console_t)
7a2f20a3 CP	173	dev_getattr_video_dev(pam_console_t)
7a2f20a3 CP	174	dev_setattr_video_dev(pam_console_t)
cf6a7d89 CP	175	dev_getattr_xserver_misc_dev(pam_console_t)
cf6a7d89 CP	176	dev_setattr_xserver_misc_dev(pam_console_t)
85a0f967	177	dev_read_urand(pam_console_t)
d35c621e	178
75beb950	179	fs_list_auto_mountpoints(pam_console_t)
ab940a4c	180
85a0f967 CP	181	mls_file_read_up(pam_console_t)
	182	mls_file_write_down(pam_console_t)
	183
1815bad1 CP	184	storage_getattr_fixed_disk_dev(pam_console_t)
	185	storage_setattr_fixed_disk_dev(pam_console_t)
	186	storage_getattr_removable_dev(pam_console_t)
	187	storage_setattr_removable_dev(pam_console_t)
	188	storage_getattr_scsi_generic_dev(pam_console_t)
	189	storage_setattr_scsi_generic_dev(pam_console_t)
75a10baf	190
0fd9dc55	191	term_use_console(pam_console_t)
e9935943 CP	192	term_use_all_user_ttys(pam_console_t)
e9935943 CP	193	term_use_all_user_ptys(pam_console_t)
0907bda1	194	term_setattr_console(pam_console_t)
0fd9dc55 CP	195	term_getattr_unallocated_ttys(pam_console_t)
0fd9dc55 CP	196	term_setattr_unallocated_ttys(pam_console_t)
46551033	197	term_use_unallocated_ttys(pam_console_t)
75a10baf	198
77f6e2cd CP	199	auth_use_nsswitch(pam_console_t)
77f6e2cd CP	200
15722ec9	201	domain_use_interactive_fds(pam_console_t)
75a10baf	202
8fd36732	203	files_read_etc_files(pam_console_t)
c9428d33 CP	204	files_search_pids(pam_console_t)
c9428d33 CP	205	files_list_mnt(pam_console_t)
689f6ddb CP	206	# read /etc/mtab
689f6ddb CP	207	files_read_etc_runtime_files(pam_console_t)
75a10baf	208
1c1ac67f	209	init_use_fds(pam_console_t)
1815bad1	210	init_use_script_ptys(pam_console_t)
d35c621e	211
c9428d33 CP	212	libs_use_ld_so(pam_console_t)
c9428d33 CP	213	libs_use_shared_libs(pam_console_t)
75a10baf	214
c9428d33	215	logging_send_syslog_msg(pam_console_t)
75a10baf	216
85a0f967	217	miscfiles_read_localization(pam_console_t)
a5e2133b	218	miscfiles_read_certs(pam_console_t)
f0574fa9	219
5e0da6a0	220	seutil_read_file_contexts(pam_console_t)
75a10baf	221
15722ec9	222	userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
dc771ff4	223
ba1a545f	224	ifdef(`targeted_policy',`
1815bad1 CP	225	term_dontaudit_use_unallocated_ttys(pam_console_t)
1815bad1 CP	226	term_dontaudit_use_generic_ptys(pam_console_t)
9e04f5c5	227	files_dontaudit_read_root_files(pam_console_t)
75a10baf CP	228	')
75a10baf CP	229
bb7170f6	230	optional_policy(`
f862c35c CP	231	gpm_getattr_gpmctl(pam_console_t)
	232	gpm_setattr_gpmctl(pam_console_t)
	233	')
	234
bb7170f6	235	optional_policy(`
1c1ac67f	236	hotplug_use_fds(pam_console_t)
c9428d33	237	hotplug_dontaudit_search_config(pam_console_t)
1e5c2a41 CP	238	')
1e5c2a41 CP	239
bb7170f6	240	optional_policy(`
8fd36732	241	seutil_sigchld_newrole(pam_console_t)
75a10baf CP	242	')
75a10baf CP	243
bb7170f6	244	optional_policy(`
c9428d33	245	udev_read_db(pam_console_t)
75a10baf CP	246	')
75a10baf CP	247
3b914745 CP	248	optional_policy(`
3b914745 CP	249	xserver_read_xdm_pid(pam_console_t)
75a10baf	250	')
75a10baf	251
f66a1af9 CP	252	########################################
	253	#
	254	# System check password local policy
	255	#
	256
725926c5	257	allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
f66a1af9	258
5c162193 CP	259	allow system_chkpwd_t shadow_t:file { getattr read };
5c162193 CP	260
725926c5 CP	261	corecmd_search_sbin(system_chkpwd_t)
725926c5 CP	262
15722ec9	263	domain_dontaudit_use_interactive_fds(system_chkpwd_t)
51f5c6a2	264
1815bad1 CP	265	term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
1815bad1 CP	266	term_dontaudit_use_generic_ptys(system_chkpwd_t)
ebdc3b79	267
1815bad1	268	userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
ce6bf7cc	269	userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
5c162193	270
3ce6cb4a CP	271	########################################
	272	#
	273	# Utempter local policy
	274	#
	275
	276	allow utempter_t self:capability setgid;
0fd9dc55	277	allow utempter_t self:unix_stream_socket create_stream_socket_perms;
3ce6cb4a	278
dd822947	279	allow utempter_t wtmp_t:file rw_file_perms;
3ce6cb4a	280
77f6e2cd CP	281	dev_read_urand(utempter_t)
77f6e2cd CP	282
0fd9dc55 CP	283	term_getattr_all_user_ttys(utempter_t)
	284	term_getattr_all_user_ptys(utempter_t)
	285	term_dontaudit_use_all_user_ttys(utempter_t)
	286	term_dontaudit_use_all_user_ptys(utempter_t)
	287	term_dontaudit_use_ptmx(utempter_t)
3ce6cb4a	288
68228b33	289	init_rw_utmp(utempter_t)
3ce6cb4a	290
8fd36732	291	files_read_etc_files(utempter_t)
3ce6cb4a	292
15722ec9	293	domain_use_interactive_fds(utempter_t)
3ce6cb4a	294
c9428d33 CP	295	libs_use_ld_so(utempter_t)
c9428d33 CP	296	libs_use_shared_libs(utempter_t)
3ce6cb4a	297
c9428d33	298	logging_search_logs(utempter_t)
3ce6cb4a	299
3ce6cb4a	300	# Allow utemper to write to /tmp/.xses-*
15722ec9	301	userdom_write_unpriv_users_tmp_files(utempter_t)
3ce6cb4a	302
bb7170f6	303	optional_policy(`
1815bad1	304	nscd_socket_use(utempter_t)
493d6c4a CP	305	')
493d6c4a CP	306
bb7170f6	307	optional_policy(`
1f6524ae CP	308	xserver_use_xdm_fds(utempter_t)
1f6524ae CP	309	xserver_rw_xdm_pipes(utempter_t)
3ce6cb4a	310	')