1 ## <summary>X Windows Server</summary>
3 #######################################
5 ## Template to create types and rules common to
6 ## all X server domains.
8 ## <param name="prefix">
10 ## The prefix of the domain (e.g., user
11 ## is the prefix for user_t).
15 template(`xserver_common_domain_template',`
17 ##############################
23 domain_type($1_xserver_t)
25 type $1_xserver_tmp_t;
26 files_tmp_file($1_xserver_tmp_t)
28 type $1_xserver_tmpfs_t;
29 files_tmpfs_file($1_xserver_tmpfs_t)
31 ##############################
33 # $1_xserver_t local policy
36 # setuid/setgid for the wrapper program to change UID
37 # sys_rawio is for iopl access - should not be needed for frame-buffer
38 # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
40 # sys_nice is so that the X server can set a negative nice value
41 # execheap needed until the X module loader is fixed.
42 # NVIDIA Needs execstack
44 allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
45 dontaudit $1_xserver_t self:capability chown;
46 allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
47 allow $1_xserver_t self:process { execmem execheap execstack setsched };
48 allow $1_xserver_t self:fd use;
49 allow $1_xserver_t self:fifo_file rw_file_perms;
50 allow $1_xserver_t self:sock_file r_file_perms;
51 allow $1_xserver_t self:shm create_shm_perms;
52 allow $1_xserver_t self:sem create_sem_perms;
53 allow $1_xserver_t self:msgq create_msgq_perms;
54 allow $1_xserver_t self:msg { send receive };
55 allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
56 allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
57 allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
58 allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
59 allow $1_xserver_t self:udp_socket create_socket_perms;
61 allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms;
62 allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms;
63 allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms;
64 files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
66 allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms;
67 type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t;
69 allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms;
70 allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms;
71 allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms;
72 allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms;
73 allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms;
74 fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
76 allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms;
77 allow $1_xserver_t xkb_var_lib_t:file manage_file_perms;
78 allow $1_xserver_t xkb_var_lib_t:lnk_file create_lnk_perms;
79 files_search_var_lib($1_xserver_t)
81 # Create files in /var/log with the xserver_log_t type.
82 allow $1_xserver_t xserver_log_t:file manage_file_perms;
83 allow $1_xserver_t xserver_log_t:dir r_dir_perms;
84 logging_log_filetrans($1_xserver_t,xserver_log_t,file)
86 kernel_read_system_state($1_xserver_t)
87 kernel_read_device_sysctls($1_xserver_t)
88 kernel_read_modprobe_sysctls($1_xserver_t)
89 # Xorg wants to check if kernel is tainted
90 kernel_read_kernel_sysctls($1_xserver_t)
91 kernel_write_proc_files($1_xserver_t)
93 # Run helper programs in $1_xserver_t.
94 corecmd_search_sbin($1_xserver_t)
95 corecmd_exec_bin($1_xserver_t)
96 corecmd_exec_shell($1_xserver_t)
98 corenet_non_ipsec_sendrecv($1_xserver_t)
99 corenet_tcp_sendrecv_generic_if($1_xserver_t)
100 corenet_udp_sendrecv_generic_if($1_xserver_t)
101 corenet_raw_sendrecv_generic_if($1_xserver_t)
102 corenet_tcp_sendrecv_all_nodes($1_xserver_t)
103 corenet_udp_sendrecv_all_nodes($1_xserver_t)
104 corenet_raw_sendrecv_all_nodes($1_xserver_t)
105 corenet_tcp_sendrecv_all_ports($1_xserver_t)
106 corenet_udp_sendrecv_all_ports($1_xserver_t)
107 corenet_tcp_bind_all_nodes($1_xserver_t)
108 corenet_udp_bind_all_nodes($1_xserver_t)
109 corenet_tcp_bind_xserver_port($1_xserver_t)
110 corenet_tcp_connect_all_ports($1_xserver_t)
112 dev_read_sysfs($1_xserver_t)
113 dev_rw_mouse($1_xserver_t)
114 dev_rw_mtrr($1_xserver_t)
115 dev_rw_apm_bios($1_xserver_t)
116 dev_rw_agp($1_xserver_t)
117 dev_rw_framebuffer($1_xserver_t)
118 dev_manage_dri_dev($1_xserver_t)
119 dev_create_generic_dirs($1_xserver_t)
120 dev_setattr_generic_dirs($1_xserver_t)
121 # raw memory access is needed if not using the frame buffer
122 dev_read_raw_memory($1_xserver_t)
123 dev_write_raw_memory($1_xserver_t)
124 # for other device nodes such as the NVidia binary-only driver
125 dev_rw_xserver_misc($1_xserver_t)
126 # read events - the synaptics touchpad driver reads raw events
127 dev_rw_input_dev($1_xserver_t)
128 dev_rwx_zero($1_xserver_t)
130 files_read_etc_files($1_xserver_t)
131 files_read_etc_runtime_files($1_xserver_t)
132 files_read_usr_files($1_xserver_t)
135 files_search_mnt($1_xserver_t)
137 files_dontaudit_search_pids($1_xserver_t)
139 fs_getattr_xattr_fs($1_xserver_t)
140 fs_search_nfs($1_xserver_t)
141 fs_search_auto_mountpoints($1_xserver_t)
143 init_getpgid($1_xserver_t)
145 term_setattr_unallocated_ttys($1_xserver_t)
146 term_use_unallocated_ttys($1_xserver_t)
148 libs_use_ld_so($1_xserver_t)
149 libs_use_shared_libs($1_xserver_t)
151 logging_send_syslog_msg($1_xserver_t)
153 miscfiles_read_localization($1_xserver_t)
154 miscfiles_read_fonts($1_xserver_t)
156 modutils_domtrans_insmod($1_xserver_t)
158 seutil_dontaudit_search_config($1_xserver_t)
160 sysnet_read_config($1_xserver_t)
163 auth_search_pam_console_data($1_xserver_t)
167 nis_use_ypbind($1_xserver_t)
171 nscd_socket_use($1_xserver_t)
175 xfs_stream_connect($1_xserver_t)
179 ifdef(`distro_redhat',`
181 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
182 allow $1_xserver_t rpm_tmpfs_t:file { read write };
183 rpm_use_fds($1_xserver_t)
189 #######################################
191 ## The per user domain template for the xserver module.
195 ## Define a derived domain for the X server when executed
196 ## by a user domain (e.g. via startx). See the xdm module
197 ## if using an X Display Manager.
200 ## This is invoked automatically for each user and
201 ## generally does not need to be invoked directly
202 ## by policy writers.
205 ## <param name="prefix">
207 ## The prefix of the user domain (e.g., user
208 ## is the prefix for user_t).
211 ## <param name="user_domain">
213 ## The type of the user domain.
216 ## <param name="user_role">
218 ## The role associated with the user domain.
222 template(`xserver_per_userdomain_template',`
224 ##############################
229 xserver_common_domain_template($1)
230 role $3 types $1_xserver_t;
232 type $1_fonts_t, fonts_type;
233 userdom_user_home_content($1,$1_fonts_t)
235 type $1_fonts_cache_t, fonts_cache_type;
236 userdom_user_home_content($1,$1_fonts_cache_t)
238 type $1_fonts_config_t, fonts_config_type;
239 userdom_user_home_content($1,$1_fonts_cache_t)
242 domain_type($1_iceauth_t)
243 domain_entry_file($1_iceauth_t,iceauth_exec_t)
244 role $3 types $1_iceauth_t;
246 type $1_iceauth_home_t alias $1_iceauth_rw_t;
247 files_poly_member($1_iceauth_home_t)
248 userdom_user_home_content($1,$1_iceauth_home_t)
251 domain_type($1_xauth_t)
252 domain_entry_file($1_xauth_t,xauth_exec_t)
253 role $3 types $1_xauth_t;
255 type $1_xauth_home_t alias $1_xauth_rw_t;
256 files_poly_member($1_xauth_home_t)
257 userdom_user_home_content($1,$1_xauth_home_t)
260 files_tmp_file($1_xauth_tmp_t)
262 ##############################
264 # $1_xserver_t Local policy
267 domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
268 allow $1_xserver_t $1_xauth_t:fd use;
269 allow $1_xauth_t $1_xserver_t:fd use;
270 allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
271 allow $1_xauth_t $1_xserver_t:process sigchld;
273 allow $1_xserver_t $1_xauth_home_t:file { getattr read };
275 domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
276 allow $2 $1_xserver_t:fd use;
277 allow $1_xserver_t $2:fd use;
278 allow $1_xserver_t $2:fifo_file rw_file_perms;
279 allow $1_xserver_t $2:process { signal sigchld };
281 allow $1_xserver_t $2:shm rw_shm_perms;
283 allow $2 $1_fonts_t:dir manage_dir_perms;
284 allow $2 $1_fonts_t:file manage_file_perms;
285 allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
287 allow $2 $1_fonts_config_t:dir manage_dir_perms;
288 allow $2 $1_fonts_config_t:file manage_file_perms;
289 allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
291 # For startup relabel
292 allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
294 allow $2 $1_xserver_tmp_t:dir r_dir_perms;
295 allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
296 allow $2 $1_xserver_t:unix_stream_socket connectto;
298 allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
300 # Communicate via System V shared memory.
301 allow $1_xserver_t $2:shm rw_shm_perms;
302 allow $2 $1_xserver_t:shm rw_shm_perms;
304 getty_use_fds($1_xserver_t)
306 locallogin_use_fds($1_xserver_t)
308 userdom_search_user_home_dirs($1,$1_xserver_t)
309 userdom_use_user_ttys($1,$1_xserver_t)
310 userdom_setattr_user_ttys($1,$1_xserver_t)
311 userdom_rw_user_tmpfs_files($1,$1_xserver_t)
313 xserver_use_user_fonts($1,$1_xserver_t)
316 userhelper_search_config($1_xserver_t)
320 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
321 allow $1_t xdm_xserver_t:unix_stream_socket connectto;
324 allow $1_t xdm_tmp_t:sock_file unlink;
325 allow $1_xserver_t xdm_var_run_t:dir search;
329 ##############################
331 # $1_xauth_t Local policy
334 allow $1_xauth_t self:process signal;
335 allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
337 allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
338 userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
340 allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
341 allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
342 files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
344 domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
345 allow $2 $1_xauth_t:fd use;
346 allow $1_xauth_t $2:fd use;
347 allow $1_xauth_t $2:fifo_file rw_file_perms;
348 allow $1_xauth_t $2:process sigchld;
350 allow $2 $1_xauth_t:process signal;
352 # allow ps to show xauth
353 allow $2 $1_xauth_t:dir { search getattr read };
354 allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
355 allow $2 $1_xauth_t:process getattr;
356 # We need to suppress this denial because procps tries to access
357 # /proc/pid/environ and this now triggers a ptrace check in recent kernels
358 # (2.4 and 2.6). Might want to change procps to not do this, or only if
359 # running in a privileged domain.
360 dontaudit $2 $1_xauth_t:process ptrace;
362 allow $2 $1_xauth_home_t:file manage_file_perms;
363 allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
365 allow xdm_t $1_xauth_home_t:file manage_file_perms;
366 userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
368 domain_use_interactive_fds($1_xauth_t)
370 files_read_etc_files($1_xauth_t)
371 files_search_pids($1_xauth_t)
373 fs_getattr_xattr_fs($1_xauth_t)
374 fs_search_auto_mountpoints($1_xauth_t)
377 term_use_ptmx($1_xauth_t)
379 libs_use_ld_so($1_xauth_t)
380 libs_use_shared_libs($1_xauth_t)
382 sysnet_dns_name_resolve($1_xauth_t)
384 userdom_use_user_terminals($1,$1_xauth_t)
385 userdom_read_user_tmp_files($1,$1_xauth_t)
387 tunable_policy(`use_nfs_home_dirs',`
388 fs_manage_nfs_files($1_xauth_t)
391 tunable_policy(`use_samba_home_dirs',`
392 fs_manage_cifs_files($1_xauth_t)
396 nis_use_ypbind($1_xauth_t)
400 ssh_sigchld($1_xauth_t)
401 ssh_read_pipes($1_xauth_t)
402 ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
405 ##############################
407 # $1_iceauth_t Local policy
410 domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
411 allow $2 $1_iceauth_t:fd use;
412 allow $1_iceauth_t $2:fd use;
413 allow $1_iceauth_t $2:fifo_file rw_file_perms;
414 allow $1_iceauth_t $2:process sigchld;
416 allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
417 userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
419 # allow ps to show iceauth
420 allow $2 $1_iceauth_t:dir { search getattr read };
421 allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
422 allow $2 $1_iceauth_t:process getattr;
423 # We need to suppress this denial because procps tries to access
424 # /proc/pid/environ and this now triggers a ptrace check in recent kernels
425 # (2.4 and 2.6). Might want to change procps to not do this, or only if
426 # running in a privileged domain.
427 dontaudit $2 $1_iceauth_t:process ptrace;
429 allow $2 $1_iceauth_home_t:file manage_file_perms;
430 allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
432 fs_search_auto_mountpoints($1_iceauth_t)
434 libs_use_ld_so($1_iceauth_t)
435 libs_use_shared_libs($1_iceauth_t)
437 userdom_use_user_terminals($1,$1_iceauth_t)
439 tunable_policy(`use_nfs_home_dirs',`
440 fs_manage_nfs_files($1_iceauth_t)
443 tunable_policy(`use_samba_home_dirs',`
444 fs_manage_cifs_files($1_iceauth_t)
448 #######################################
450 ## Template for creating sessions on a
451 ## prefix X server, with read-only
452 ## access to the X server shared
455 ## <param name="prefix">
457 ## The prefix of the domain (e.g., user
458 ## is the prefix for user_t).
461 ## <param name="domain">
463 ## Domain allowed access.
466 ## <param name="tmpfs_type">
468 ## The type of the domain SYSV tmpfs files.
472 template(`xserver_ro_session_template',`
474 type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
477 # Xserver read/write client shm
478 allow $1_xserver_t $2:fd use;
479 allow $1_xserver_t $2:shm rw_shm_perms;
480 allow $1_xserver_t $3:file rw_file_perms;
483 allow $2 $1_xserver_t:unix_stream_socket connectto;
484 allow $2 $1_xserver_t:process signal;
487 allow $2 $1_xserver_tmp_t:file { getattr read };
489 # Client read xserver shm
490 allow $2 $1_xserver_t:fd use;
491 allow $2 $1_xserver_t:shm r_shm_perms;
492 allow $2 $1_xserver_tmpfs_t:file r_file_perms;
495 #######################################
497 ## Template for creating sessions on a
498 ## prefix X server, with read and write
499 ## access to the X server shared
502 ## <param name="prefix">
504 ## The prefix of the domain (e.g., user
505 ## is the prefix for user_t).
508 ## <param name="domain">
510 ## Domain allowed access.
513 ## <param name="tmpfs_type">
515 ## The type of the domain SYSV tmpfs files.
519 template(`xserver_rw_session_template',`
521 type $1_xserver_t, $1_xserver_tmpfs_t;
524 xserver_ro_session_template($1,$2,$3)
525 allow $2 $1_xserver_t:shm rw_shm_perms;
526 allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
529 #######################################
531 ## Template for creating full client sessions
532 ## on a user X server.
534 ## <param name="prefix">
536 ## The prefix of the domain (e.g., user
537 ## is the prefix for user_t).
540 ## <param name="domain">
542 ## Domain allowed access.
545 ## <param name="tmpfs_type">
547 ## The type of the domain SYSV tmpfs files.
551 template(`xserver_user_client_template',`
554 type xdm_t, xdm_tmp_t;
555 type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
558 allow $2 self:shm create_shm_perms;
559 allow $2 self:unix_dgram_socket create_socket_perms;
560 allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
562 # Read .Xauthority file
563 allow $2 $1_xauth_home_t:file { getattr read };
565 # for when /tmp/.X11-unix is created by the system
566 allow $2 xdm_t:fd use;
567 allow $2 xdm_t:fifo_file { getattr read write ioctl };
568 allow $2 xdm_tmp_t:dir search;
569 allow $2 xdm_tmp_t:sock_file { read write };
570 dontaudit $2 xdm_t:tcp_socket { read write };
572 # Allow connections to X server.
575 miscfiles_read_fonts($2)
577 userdom_search_user_home_dirs($1,$2)
578 # for .xsession-errors
579 userdom_dontaudit_write_user_home_content_files($1,$2)
581 xserver_ro_session_template(xdm,$2,$3)
582 xserver_rw_session_template($1,$2,$3)
583 xserver_use_user_fonts($1,$2)
585 # Client write xserver shm
586 tunable_policy(`allow_write_xshm',`
587 allow $2 $1_xserver_t:shm rw_shm_perms;
588 allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
591 # for X over a ssh tunnel
593 kernel_tcp_recvfrom($2)
598 ########################################
600 ## Read user fonts, user font configuration,
601 ## and manage the user font cache.
605 ## Read user fonts, user font configuration,
606 ## and manage the user font cache.
609 ## This is a templated interface, and should only
610 ## be called from a per-userdomain template.
613 ## <param name="userdomain_prefix">
615 ## The prefix of the user domain (e.g., user
616 ## is the prefix for user_t).
619 ## <param name="domain">
621 ## Domain allowed access.
625 template(`xserver_use_user_fonts',`
627 type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
630 # Read per user fonts
631 allow $2 $1_fonts_t:dir list_dir_perms;
632 allow $2 $1_fonts_t:file read_file_perms;
634 # Manipulate the global font cache
635 allow $2 $1_fonts_cache_t:dir manage_dir_perms;
636 allow $2 $1_fonts_cache_t:file manage_file_perms;
638 # Read per user font config
639 allow $2 $1_fonts_config_t:dir list_dir_perms;
640 allow $2 $1_fonts_config_t:file read_file_perms;
642 userdom_search_user_home_dirs($1,$2)
645 ########################################
647 ## Transition to a user Xauthority domain.
651 ## Transition to a user Xauthority domain.
654 ## This is a templated interface, and should only
655 ## be called from a per-userdomain template.
658 ## <param name="userdomain_prefix">
660 ## The prefix of the user domain (e.g., user
661 ## is the prefix for user_t).
664 ## <param name="domain">
666 ## Domain allowed access.
670 template(`xserver_domtrans_user_xauth',`
672 type $1_xauth_t, xauth_exec_t;
675 domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
676 allow $2 $1_xauth_t:fd use;
677 allow $1_xauth_t $2:fd use;
678 allow $1_xauth_t $2:fifo_file rw_file_perms;
679 allow $1_xauth_t $2:process sigchld;
682 ########################################
684 ## Read all users fonts, user font configurations,
685 ## and manage all users font caches.
687 ## <param name="domain">
689 ## Domain allowed access.
693 interface(`xserver_use_all_users_fonts',`
695 attribute fonts_type, fonts_cache_type, fonts_config_type;
698 # Read per user fonts
699 allow $1 fonts_type:dir list_dir_perms;
700 allow $1 fonts_type:file read_file_perms;
702 # Manipulate the global font cache
703 allow $1 fonts_cache_type:dir manage_dir_perms;
704 allow $1 fonts_cache_type:file manage_file_perms;
706 # Read per user font config
707 allow $1 fonts_config_type:dir list_dir_perms;
708 allow $1 fonts_config_type:file read_file_perms;
710 userdom_search_all_users_home_dirs($1)
713 ########################################
715 ## Set the attributes of the X windows console named pipes.
717 ## <param name="domain">
719 ## Domain allowed access.
723 interface(`xserver_setattr_console_pipes',`
725 type xconsole_device_t;
728 allow $1 xconsole_device_t:fifo_file setattr;
731 ########################################
733 ## Read and write the X windows console named pipe.
735 ## <param name="domain">
737 ## Domain allowed access.
741 interface(`xserver_rw_console',`
743 type xconsole_device_t;
746 allow $1 xconsole_device_t:fifo_file { getattr read write };
749 ########################################
751 ## Connect to XDM over a unix domain
754 ## <param name="domain">
756 ## Domain allowed access.
760 interface(`xserver_stream_connect_xdm',`
765 allow $1 xdm_t:unix_stream_socket connectto;
768 ########################################
770 ## Read xdm-writable configuration files.
772 ## <param name="domain">
774 ## Domain allowed access.
778 interface(`xserver_read_xdm_rw_config',`
784 allow $1 xdm_rw_etc_t:dir { getattr read };
787 ########################################
789 ## Set the attributes of XDM temporary directories.
791 ## <param name="domain">
793 ## Domain allowed access.
797 interface(`xserver_setattr_xdm_tmp_dirs',`
802 allow $1 xdm_tmp_t:dir setattr;
805 ########################################
807 ## Create a named socket in a XDM
808 ## temporary directory.
810 ## <param name="domain">
812 ## Domain allowed access.
816 interface(`xserver_create_xdm_tmp_sockets',`
822 allow $1 xdm_tmp_t:dir ra_dir_perms;
823 allow $1 xdm_tmp_t:sock_file create;
826 ########################################
828 ## Read XDM pid files.
830 ## <param name="domain">
832 ## Domain allowed access.
836 interface(`xserver_read_xdm_pid',`
841 files_search_pids($1)
842 allow $1 xdm_var_run_t:file r_file_perms;
845 ########################################
847 ## Read XDM var lib files.
849 ## <param name="domain">
851 ## Domain allowed access.
855 interface(`xserver_read_xdm_lib_files',`
860 allow $1 xdm_var_lib_t:file { getattr read };
863 ########################################
865 ## Execute the X server in the XDM X server domain.
867 ## <param name="domain">
869 ## Domain allowed access.
873 interface(`xserver_domtrans_xdm_xserver',`
875 type xdm_xserver_t, xserver_exec_t;
878 domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
880 allow $1 xdm_xserver_t:fd use;
881 allow xdm_xserver_t $1:fd use;
882 allow xdm_xserver_t $1:fifo_file rw_file_perms;
883 allow xdm_xserver_t $1:process sigchld;
886 ########################################
888 ## Make an X session script an entrypoint for the specified domain.
890 ## <param name="domain">
892 ## The domain for which the shell is an entrypoint.
896 interface(`xserver_xsession_entry_type',`
898 type xsession_exec_t;
901 domain_entry_file($1,xsession_exec_t)
904 ########################################
906 ## Execute an X session in the target domain. This
907 ## is an explicit transition, requiring the
908 ## caller to use setexeccon().
912 ## Execute an Xsession in the target domain. This
913 ## is an explicit transition, requiring the
914 ## caller to use setexeccon().
917 ## No interprocess communication (signals, pipes,
918 ## etc.) is provided by this interface since
919 ## the domains are not owned by this module.
922 ## <param name="domain">
924 ## Domain allowed access.
927 ## <param name="target_domain">
929 ## The type of the shell process.
933 interface(`xserver_xsession_spec_domtrans',`
935 type xsession_exec_t;
938 domain_trans($1,xsession_exec_t,$2)
941 ########################################
943 ## Get the attributes of X server logs.
945 ## <param name="domain">
947 ## Domain allowed access.
951 interface(`xserver_getattr_log',`
956 logging_search_logs($1)
957 allow $1 xserver_log_t:file getattr;
960 ########################################
962 ## Do not audit attempts to write the X server
965 ## <param name="domain">
967 ## Domain to not audit
971 interface(`xserver_dontaudit_write_log',`
976 dontaudit $1 xserver_log_t:file { append write };
979 ########################################
981 ## Do not audit attempts to write the X server
984 ## <param name="domain">
986 ## Domain to not audit
990 interface(`xserver_delete_log',`
995 logging_search_logs($1)
996 allow $1 xserver_log_t:dir rw_dir_perms;
997 allow $1 xserver_log_t:file unlink;
1000 ########################################
1002 ## Read X keyboard extension libraries.
1004 ## <param name="domain">
1006 ## Domain to not audit
1010 interface(`xserver_read_xkb_libs',`
1015 files_search_var_lib($1)
1016 allow $1 xkb_var_lib_t:dir list_dir_perms;
1017 allow $1 xkb_var_lib_t:file r_file_perms;
1018 allow $1 xkb_var_lib_t:lnk_file { getattr read };
1021 ########################################
1023 ## Read xdm temporary files.
1025 ## <param name="domain">
1027 ## Domain to not audit
1031 interface(`xserver_read_xdm_xserver_tmp_files',`
1033 type xdm_xserver_tmp_t;
1036 allow $1 xdm_xserver_tmp_t:file { getattr read };
1039 ########################################
1041 ## Kill XDM X servers
1043 ## <param name="domain">
1045 ## Domain to not audit
1049 interface(`xserver_kill_xdm_xserver',`
1054 allow $1 xdm_xserver_t:process sigkill;
1057 ########################################
1059 ## Do not audit attempts to read and write to
1060 ## a XDM X server socket.
1062 ## <param name="domain">
1064 ## Domain to not audit
1068 interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
1073 dontaudit $1 xdm_xserver_t:tcp_socket { read write };