1 ## <summary>X Windows Server</summary>
3 ########################################
5 ## Rules required for using the X Windows server
6 ## and environment, for restricted users.
10 ## Role allowed access.
13 ## <param name="domain">
15 ## Domain allowed access.
19 interface(`xserver_restricted_role',`
21 type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
22 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
23 type iceauth_t, iceauth_exec_t, iceauth_home_t;
24 type xauth_t, xauth_exec_t, xauth_home_t;
28 role $1 types { xserver_t xauth_t iceauth_t };
30 # Xserver read/write client shm
31 allow xserver_t $2:fd use;
32 allow xserver_t $2:shm rw_shm_perms;
34 allow xserver_t $2:process { getpgid signal };
36 allow xserver_t $2:shm rw_shm_perms;
38 allow $2 user_fonts_t:dir list_dir_perms;
39 allow $2 user_fonts_t:file read_file_perms;
40 allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
42 allow $2 user_fonts_config_t:dir list_dir_perms;
43 allow $2 user_fonts_config_t:file read_file_perms;
45 manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
46 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
48 stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
49 allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
50 dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms;
53 # Communicate via System V shared memory.
54 allow $2 xserver_t:shm r_shm_perms;
55 allow $2 xserver_tmpfs_t:file read_file_perms;
57 # allow ps to show iceauth
58 ps_process_pattern($2, iceauth_t)
60 domtrans_pattern($2, iceauth_exec_t, iceauth_t)
62 allow $2 iceauth_home_t:file read_file_perms;
64 domtrans_pattern($2, xauth_exec_t, xauth_t)
66 allow $2 xauth_t:process signal;
68 # allow ps to show xauth
69 ps_process_pattern($2, xauth_t)
70 allow $2 xserver_t:process signal;
72 allow $2 xauth_home_t:file read_file_perms;
74 # for when /tmp/.X11-unix is created by the system
75 allow $2 xdm_t:fd use;
76 allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
77 allow $2 xdm_tmp_t:dir search_dir_perms;
78 allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
79 dontaudit $2 xdm_t:tcp_socket { read write };
80 dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
82 allow $2 xdm_t:dbus send_msg;
83 allow xdm_t $2:dbus send_msg;
85 # Client read xserver shm
86 allow $2 xserver_t:fd use;
87 allow $2 xserver_tmpfs_t:file read_file_perms;
90 allow $2 xserver_tmp_t:file read_inherited_file_perms;
92 dev_rw_xserver_misc($2)
93 dev_rw_power_management($2)
97 # open office is looking for the following
98 dev_getattr_agp_dev($2)
100 # GNOME checks for usb and other devices:
103 miscfiles_read_fonts($2)
104 miscfiles_setattr_fonts_cache_dirs($2)
105 miscfiles_read_hwdata($2)
107 xserver_common_x_domain_template(user, $2)
109 #xserver_unconfined($2)
110 xserver_xsession_entry_type($2)
111 xserver_dontaudit_write_log($2)
112 xserver_stream_connect_xdm($2)
113 # certain apps want to read xdm.pid file
114 xserver_read_xdm_pid($2)
115 # gnome-session creates socket under /tmp/.ICE-unix/
116 xserver_create_xdm_tmp_sockets($2)
117 # Needed for escd, remove if we get escd policy
118 xserver_manage_xdm_tmp_files($2)
119 xserver_read_xdm_etc_files($2)
120 xserver_xdm_append_log($2)
122 term_use_virtio_console($2)
124 modutils_run_insmod(xserver_t, $1)
126 # Client write xserver shm
127 tunable_policy(`allow_write_xshm',`
128 allow $2 xserver_t:shm rw_shm_perms;
129 allow $2 xserver_tmpfs_t:file rw_file_perms;
132 tunable_policy(`user_direct_dri',`
137 ########################################
139 ## Rules required for using the X Windows server
142 ## <param name="role">
144 ## Role allowed access.
147 ## <param name="domain">
149 ## Domain allowed access.
153 interface(`xserver_role',`
155 type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
156 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
159 xserver_restricted_role($1, $2)
161 # Communicate via System V shared memory.
162 allow $2 xserver_t:shm rw_shm_perms;
163 allow $2 xserver_tmpfs_t:file rw_file_perms;
165 allow $2 iceauth_home_t:file manage_file_perms;
166 allow $2 iceauth_home_t:file relabel_file_perms;
168 allow $2 xauth_home_t:file manage_file_perms;
169 allow $2 xauth_home_t:file relabel_file_perms;
171 mls_xwin_read_to_clearance($2)
172 manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
173 manage_files_pattern($2, user_fonts_t, user_fonts_t)
174 allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
175 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
176 relabel_files_pattern($2, user_fonts_t, user_fonts_t)
178 manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
179 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
180 relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
181 relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
183 manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
184 manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
185 relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
186 relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
189 #######################################
191 ## Create sessions on the X server, with read-only
192 ## access to the X server shared
195 ## <param name="domain">
197 ## Domain allowed access.
200 ## <param name="tmpfs_type">
202 ## The type of the domain SYSV tmpfs files.
206 interface(`xserver_ro_session',`
208 type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
211 # Xserver read/write client shm
212 allow xserver_t $1:fd use;
213 allow xserver_t $1:shm rw_shm_perms;
214 allow xserver_t $2:file rw_file_perms;
217 allow $1 xserver_t:unix_stream_socket connectto;
218 allow $1 xserver_t:process signal;
221 allow $1 xserver_tmp_t:file read_file_perms;
223 # Client read xserver shm
224 allow $1 xserver_t:fd use;
225 allow $1 xserver_t:shm r_shm_perms;
226 allow $1 xserver_tmpfs_t:file read_file_perms;
229 #######################################
231 ## Create sessions on the X server, with read and write
232 ## access to the X server shared
235 ## <param name="domain">
237 ## Domain allowed access.
240 ## <param name="tmpfs_type">
242 ## The type of the domain SYSV tmpfs files.
246 interface(`xserver_rw_session',`
248 type xserver_t, xserver_tmpfs_t;
251 xserver_ro_session($1, $2)
252 allow $1 xserver_t:shm rw_shm_perms;
253 allow $1 xserver_tmpfs_t:file rw_file_perms;
256 #######################################
258 ## Create non-drawing client sessions on an X server.
260 ## <param name="domain">
262 ## Domain allowed access.
266 interface(`xserver_non_drawing_client',`
268 class x_drawable { getattr get_property };
269 class x_extension { query use };
270 class x_gc { create setattr };
271 class x_property read;
273 type xserver_t, xdm_var_run_t;
274 type xextension_t, xproperty_t, root_xdrawable_t;
277 allow $1 self:x_gc { create setattr };
279 allow $1 xdm_var_run_t:dir search_dir_perms;
280 allow $1 xserver_t:unix_stream_socket connectto;
282 allow $1 xextension_t:x_extension { query use };
283 allow $1 root_xdrawable_t:x_drawable { getattr get_property };
284 allow $1 xproperty_t:x_property read;
287 #######################################
289 ## Create full client sessions
290 ## on a user X server.
292 ## <param name="domain">
294 ## Domain allowed access.
297 ## <param name="tmpfs_type">
299 ## The type of the domain SYSV tmpfs files.
303 interface(`xserver_user_client',`
304 refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
306 type xdm_t, xdm_tmp_t;
307 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
310 allow $1 self:shm create_shm_perms;
311 allow $1 self:unix_dgram_socket create_socket_perms;
312 allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
314 # Read .Xauthority file
315 allow $1 xauth_home_t:file read_file_perms;
316 allow $1 iceauth_home_t:file read_file_perms;
318 # for when /tmp/.X11-unix is created by the system
319 allow $1 xdm_t:fd use;
320 allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
321 allow $1 xdm_tmp_t:dir search_dir_perms;
322 allow $1 xdm_tmp_t:sock_file { read write };
323 dontaudit $1 xdm_t:tcp_socket { read write };
325 # Allow connections to X server.
328 miscfiles_read_fonts($1)
330 userdom_search_user_home_dirs($1)
331 # for .xsession-errors
332 userdom_dontaudit_write_user_home_content_files($1)
334 xserver_ro_session($1,$2)
335 xserver_use_user_fonts($1)
337 xserver_read_xdm_tmp_files($1)
339 # Client write xserver shm
340 tunable_policy(`allow_write_xshm',`
341 allow $1 xserver_t:shm rw_shm_perms;
342 allow $1 xserver_tmpfs_t:file rw_file_perms;
346 #######################################
348 ## Interface to provide X object permissions on a given X server to
349 ## an X client domain. Provides the minimal set required by a basic
350 ## X client application.
352 ## <param name="prefix">
354 ## The prefix of the X client domain (e.g., user
355 ## is the prefix for user_t).
358 ## <param name="domain">
360 ## Client domain allowed access.
364 template(`xserver_common_x_domain_template',`
366 type root_xdrawable_t, xdm_t, xserver_t;
367 type xproperty_t, $1_xproperty_t;
368 type xevent_t, client_xevent_t;
369 type input_xevent_t, $1_input_xevent_t;
371 attribute x_domain, input_xevent_type;
372 attribute xdrawable_type, xcolormap_type;
374 class x_drawable all_x_drawable_perms;
375 class x_property all_x_property_perms;
376 class x_event all_x_event_perms;
377 class x_synthetic_event all_x_synthetic_event_perms;
378 class x_client destroy;
379 class x_server manage;
380 class x_screen { saver_setattr saver_hide saver_show };
381 class x_pointer { get_property set_property manage };
382 class x_keyboard { read manage };
385 ##############################
391 typeattribute $2 x_domain;
392 typeattribute $2 xdrawable_type, xcolormap_type;
395 # disable property transitions for the time being.
396 # type_transition $2 xproperty_t:x_property $1_xproperty_t;
399 # new windows have the domain type
400 type_transition $2 root_xdrawable_t:x_drawable $2;
403 # distinguish input events
404 type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
405 # can send own events
406 allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
407 # can receive own events
408 allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
409 # can receive default events
410 allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
411 allow $2 xevent_t:{ x_event x_synthetic_event } receive;
412 # dont audit send failures
413 dontaudit $2 input_xevent_type:x_event send;
415 allow $2 xdm_t:x_drawable { hide read add_child manage };
416 allow $2 xdm_t:x_client destroy;
418 allow $2 root_xdrawable_t:x_drawable write;
419 allow $2 xserver_t:x_server manage;
420 allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
421 allow $2 xserver_t:x_pointer { get_property set_property manage };
422 allow $2 xserver_t:x_keyboard { read manage };
425 #######################################
427 ## Template for creating the set of types used
428 ## in an X windows domain.
430 ## <param name="prefix">
432 ## The prefix of the X client domain (e.g., user
433 ## is the prefix for user_t).
437 template(`xserver_object_types_template',`
439 attribute xproperty_type, input_xevent_type, xevent_type;
442 ##############################
447 # Types for properties
448 type $1_xproperty_t, xproperty_type;
449 ubac_constrained($1_xproperty_t)
452 type $1_input_xevent_t, input_xevent_type, xevent_type;
453 ubac_constrained($1_input_xevent_t)
456 #######################################
458 ## Interface to provide X object permissions on a given X server to
459 ## an X client domain. Provides the minimal set required by a basic
460 ## X client application.
462 ## <param name="prefix">
464 ## The prefix of the X client domain (e.g., user
465 ## is the prefix for user_t).
468 ## <param name="domain">
470 ## Client domain allowed access.
473 ## <param name="tmpfs_type">
475 ## The type of the domain SYSV tmpfs files.
479 template(`xserver_user_x_domain_template',`
481 type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
483 type xauth_home_t, iceauth_home_t, xserver_t;
486 allow $2 self:shm create_shm_perms;
487 allow $2 self:unix_dgram_socket create_socket_perms;
488 allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
490 # Read .Xauthority file
491 allow $2 xauth_home_t:file read_file_perms;
492 allow $2 iceauth_home_t:file read_file_perms;
494 userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
495 userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
496 userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
497 userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
498 userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
499 userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
501 # for when /tmp/.X11-unix is created by the system
502 allow $2 xdm_t:fd use;
503 allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
504 allow $2 xdm_tmp_t:dir search_dir_perms;
505 allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
506 dontaudit $2 xdm_t:tcp_socket { read write };
508 # Allow connections to X server.
511 miscfiles_read_fonts($2)
513 userdom_search_user_home_dirs($2)
514 # for .xsession-errors
515 userdom_dontaudit_write_user_home_content_files($2)
517 xserver_ro_session($2, $3)
518 xserver_use_user_fonts($2)
520 xserver_read_xdm_tmp_files($2)
521 xserver_read_xdm_pid($2)
522 xserver_xdm_append_log($2)
525 xserver_object_types_template($1)
526 xserver_common_x_domain_template($1, $2)
528 # Client write xserver shm
529 tunable_policy(`allow_write_xshm',`
530 allow $2 xserver_t:shm rw_shm_perms;
531 allow $2 xserver_tmpfs_t:file rw_file_perms;
534 tunable_policy(`user_direct_dri',`
539 ########################################
541 ## Read user fonts, user font configuration,
542 ## and manage the user font cache.
546 ## Read user fonts, user font configuration,
547 ## and manage the user font cache.
550 ## This is a templated interface, and should only
551 ## be called from a per-userdomain template.
554 ## <param name="domain">
556 ## Domain allowed access.
560 interface(`xserver_use_user_fonts',`
562 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
565 # Read per user fonts
566 allow $1 user_fonts_t:dir list_dir_perms;
567 allow $1 user_fonts_t:file read_file_perms;
568 allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
570 # Manipulate the global font cache
571 manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
572 manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
574 # Read per user font config
575 allow $1 user_fonts_config_t:dir list_dir_perms;
576 allow $1 user_fonts_config_t:file read_file_perms;
578 userdom_search_user_home_dirs($1)
581 ########################################
583 ## Transition to the Xauthority domain.
585 ## <param name="domain">
587 ## Domain allowed to transition.
591 interface(`xserver_domtrans_xauth',`
593 type xauth_t, xauth_exec_t;
596 domtrans_pattern($1, xauth_exec_t, xauth_t)
599 ########################################
601 ## Dontaudit exec of Xauthority program.
603 ## <param name="domain">
605 ## Domain to not audit.
609 interface(`xserver_dontaudit_exec_xauth',`
614 dontaudit $1 xauth_exec_t:file execute;
617 ########################################
619 ## Create a Xauthority file in the user home directory.
621 ## <param name="domain">
623 ## Domain allowed access.
627 interface(`xserver_user_home_dir_filetrans_user_xauth',`
632 userdom_user_home_dir_filetrans($1, xauth_home_t, file)
635 ########################################
637 ## Read all users fonts, user font configurations,
638 ## and manage all users font caches.
640 ## <param name="domain">
642 ## Domain allowed access.
646 interface(`xserver_use_all_users_fonts',`
647 refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
648 xserver_use_user_fonts($1)
651 ########################################
653 ## Read all users .Xauthority.
655 ## <param name="domain">
657 ## Domain allowed access.
661 interface(`xserver_read_user_xauth',`
666 allow $1 xauth_home_t:file read_file_perms;
667 userdom_search_user_home_dirs($1)
668 xserver_read_xdm_pid($1)
671 ########################################
673 ## Set the attributes of the X windows console named pipes.
675 ## <param name="domain">
677 ## Domain allowed access.
681 interface(`xserver_setattr_console_pipes',`
683 type xconsole_device_t;
686 allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
689 ########################################
691 ## Read and write the X windows console named pipe.
693 ## <param name="domain">
695 ## Domain allowed access.
699 interface(`xserver_rw_console',`
701 type xconsole_device_t;
704 allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
707 ########################################
709 ## Read XDM state files.
711 ## <param name="domain">
713 ## Domain allowed access.
717 interface(`xserver_read_state_xdm',`
722 kernel_search_proc($1)
723 ps_process_pattern($1, xdm_t)
726 ########################################
728 ## Use file descriptors for xdm.
730 ## <param name="domain">
732 ## Domain allowed access.
736 interface(`xserver_use_xdm_fds',`
741 allow $1 xdm_t:fd use;
744 ########################################
746 ## Do not audit attempts to inherit
747 ## XDM file descriptors.
749 ## <param name="domain">
751 ## Domain to not audit.
755 interface(`xserver_dontaudit_use_xdm_fds',`
760 dontaudit $1 xdm_t:fd use;
763 ########################################
765 ## Read and write XDM unnamed pipes.
767 ## <param name="domain">
769 ## Domain allowed access.
773 interface(`xserver_rw_xdm_pipes',`
778 allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
781 ########################################
783 ## Do not audit attempts to read and write
784 ## XDM unnamed pipes.
786 ## <param name="domain">
788 ## Domain to not audit.
792 interface(`xserver_dontaudit_rw_xdm_pipes',`
797 dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
800 ########################################
802 ## Connect to XDM over a unix domain
805 ## <param name="domain">
807 ## Domain allowed access.
811 interface(`xserver_stream_connect_xdm',`
813 type xdm_t, xdm_tmp_t, xdm_var_run_t;
817 files_search_pids($1)
818 stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
821 ########################################
823 ## Read XDM files in user home directories.
825 ## <param name="domain">
827 ## Domain allowed access.
831 interface(`xserver_read_xdm_home_files',`
836 userdom_search_user_home_dirs($1)
837 allow $1 xdm_home_t:file read_file_perms;
840 ########################################
842 ## Read xdm-writable configuration files.
844 ## <param name="domain">
846 ## Domain allowed access.
850 interface(`xserver_read_xdm_rw_config',`
856 allow $1 xdm_rw_etc_t:file read_file_perms;
859 ########################################
861 ## Search XDM temporary directories.
863 ## <param name="domain">
865 ## Domain allowed access.
869 interface(`xserver_search_xdm_tmp_dirs',`
875 allow $1 xdm_tmp_t:dir search_dir_perms;
878 ########################################
880 ## Set the attributes of XDM temporary directories.
882 ## <param name="domain">
884 ## Domain allowed access.
888 interface(`xserver_setattr_xdm_tmp_dirs',`
893 allow $1 xdm_tmp_t:dir setattr_dir_perms;
896 ########################################
898 ## Create a named socket in a XDM
899 ## temporary directory.
901 ## <param name="domain">
903 ## Domain allowed access.
907 interface(`xserver_create_xdm_tmp_sockets',`
913 allow $1 xdm_tmp_t:dir list_dir_perms;
914 create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
917 ########################################
919 ## Read XDM pid files.
921 ## <param name="domain">
923 ## Domain allowed access.
927 interface(`xserver_read_xdm_pid',`
932 files_search_pids($1)
933 read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
936 ######################################
938 ## Dontaudit Read XDM pid files.
940 ## <param name="domain">
942 ## Domain to not audit.
946 interface(`xserver_dontaudit_read_xdm_pid',`
951 dontaudit $1 xdm_var_run_t:dir search_dir_perms;
952 dontaudit $1 xdm_var_run_t:file read_file_perms;
955 ########################################
957 ## Read XDM var lib files.
959 ## <param name="domain">
961 ## Domain allowed access.
965 interface(`xserver_read_xdm_lib_files',`
970 allow $1 xdm_var_lib_t:file read_file_perms;
973 ########################################
975 ## Read inherited XDM var lib files.
977 ## <param name="domain">
979 ## Domain allowed access.
983 interface(`xserver_read_inherited_xdm_lib_files',`
988 allow $1 xdm_var_lib_t:file read_inherited_file_perms;
991 ########################################
993 ## Make an X session script an entrypoint for the specified domain.
995 ## <param name="domain">
997 ## The domain for which the shell is an entrypoint.
1001 interface(`xserver_xsession_entry_type',`
1003 type xsession_exec_t;
1006 domain_entry_file($1, xsession_exec_t)
1009 ########################################
1011 ## Execute an X session in the target domain. This
1012 ## is an explicit transition, requiring the
1013 ## caller to use setexeccon().
1017 ## Execute an Xsession in the target domain. This
1018 ## is an explicit transition, requiring the
1019 ## caller to use setexeccon().
1022 ## No interprocess communication (signals, pipes,
1023 ## etc.) is provided by this interface since
1024 ## the domains are not owned by this module.
1027 ## <param name="domain">
1029 ## Domain allowed to transition.
1032 ## <param name="target_domain">
1034 ## The type of the shell process.
1038 interface(`xserver_xsession_spec_domtrans',`
1040 type xsession_exec_t;
1043 domain_trans($1, xsession_exec_t, $2)
1046 ########################################
1048 ## Get the attributes of X server logs.
1050 ## <param name="domain">
1052 ## Domain allowed access.
1056 interface(`xserver_getattr_log',`
1061 logging_search_logs($1)
1062 allow $1 xserver_log_t:file getattr_file_perms;
1065 ########################################
1067 ## Do not audit attempts to write the X server
1070 ## <param name="domain">
1072 ## Domain to not audit.
1076 interface(`xserver_dontaudit_write_log',`
1081 dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
1084 ########################################
1086 ## Delete X server log files.
1088 ## <param name="domain">
1090 ## Domain allowed access.
1094 interface(`xserver_delete_log',`
1099 logging_search_logs($1)
1100 allow $1 xserver_log_t:dir list_dir_perms;
1101 delete_files_pattern($1, xserver_log_t, xserver_log_t)
1102 delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
1105 ########################################
1107 ## Read X keyboard extension libraries.
1109 ## <param name="domain">
1111 ## Domain allowed access.
1115 interface(`xserver_read_xkb_libs',`
1120 files_search_var_lib($1)
1121 allow $1 xkb_var_lib_t:dir list_dir_perms;
1122 read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
1123 read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
1126 ########################################
1128 ## Read xdm config files.
1130 ## <param name="domain">
1132 ## Domain to not audit
1136 interface(`xserver_read_xdm_etc_files',`
1141 files_search_etc($1)
1142 read_files_pattern($1, xdm_etc_t, xdm_etc_t)
1143 read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
1146 ########################################
1148 ## Manage xdm config files.
1150 ## <param name="domain">
1152 ## Domain to not audit
1156 interface(`xserver_manage_xdm_etc_files',`
1161 files_search_etc($1)
1162 manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
1165 ########################################
1167 ## Read xdm temporary files.
1169 ## <param name="domain">
1171 ## Domain allowed access.
1175 interface(`xserver_read_xdm_tmp_files',`
1180 files_search_tmp($1)
1181 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
1184 ########################################
1186 ## Do not audit attempts to read xdm temporary files.
1188 ## <param name="domain">
1190 ## Domain to not audit.
1194 interface(`xserver_dontaudit_read_xdm_tmp_files',`
1199 dontaudit $1 xdm_tmp_t:dir search_dir_perms;
1200 dontaudit $1 xdm_tmp_t:file read_file_perms;
1203 ########################################
1205 ## Read write xdm temporary files.
1207 ## <param name="domain">
1209 ## Domain allowed access.
1213 interface(`xserver_rw_xdm_tmp_files',`
1218 allow $1 xdm_tmp_t:dir search_dir_perms;
1219 allow $1 xdm_tmp_t:file rw_file_perms;
1222 ########################################
1224 ## Create, read, write, and delete xdm temporary files.
1226 ## <param name="domain">
1228 ## Domain allowed access.
1232 interface(`xserver_manage_xdm_tmp_files',`
1237 manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
1240 ########################################
1242 ## Create, read, write, and delete xdm temporary dirs.
1244 ## <param name="domain">
1246 ## Domain allowed access.
1250 interface(`xserver_relabel_xdm_tmp_dirs',`
1255 allow $1 xdm_tmp_t:dir relabel_dir_perms;
1258 ########################################
1260 ## Create, read, write, and delete xdm temporary dirs.
1262 ## <param name="domain">
1264 ## Domain allowed access.
1268 interface(`xserver_manage_xdm_tmp_dirs',`
1273 manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
1276 ########################################
1278 ## Do not audit attempts to get the attributes of
1279 ## xdm temporary named sockets.
1281 ## <param name="domain">
1283 ## Domain to not audit.
1287 interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
1292 dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
1295 ########################################
1297 ## Execute the X server in the X server domain.
1299 ## <param name="domain">
1301 ## Domain allowed to transition.
1305 interface(`xserver_domtrans',`
1307 type xserver_t, xserver_exec_t;
1310 allow $1 xserver_t:process siginh;
1311 domtrans_pattern($1, xserver_exec_t, xserver_t)
1313 allow xserver_t $1:process getpgid;
1316 ########################################
1320 ## <param name="domain">
1322 ## Domain allowed access.
1326 interface(`xserver_signal',`
1331 allow $1 xserver_t:process signal;
1334 ########################################
1338 ## <param name="domain">
1340 ## Domain allowed access.
1344 interface(`xserver_kill',`
1349 allow $1 xserver_t:process sigkill;
1352 ########################################
1354 ## Read and write X server Sys V Shared
1357 ## <param name="domain">
1359 ## Domain allowed access.
1363 interface(`xserver_rw_shm',`
1368 allow $1 xserver_t:shm rw_shm_perms;
1371 ########################################
1373 ## Do not audit attempts to read and write to
1374 ## X server sockets.
1376 ## <param name="domain">
1378 ## Domain to not audit.
1382 interface(`xserver_dontaudit_rw_tcp_sockets',`
1387 dontaudit $1 xserver_t:tcp_socket { read write };
1390 ########################################
1392 ## Do not audit attempts to read and write X server
1393 ## unix domain stream sockets.
1395 ## <param name="domain">
1397 ## Domain to not audit.
1401 interface(`xserver_dontaudit_rw_stream_sockets',`
1406 dontaudit $1 xserver_t:unix_stream_socket { read write };
1409 ########################################
1411 ## Connect to the X server over a unix domain
1414 ## <param name="domain">
1416 ## Domain allowed access.
1420 interface(`xserver_stream_connect',`
1422 type xserver_t, xserver_tmp_t;
1425 files_search_tmp($1)
1426 stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
1427 allow xserver_t $1:shm rw_shm_perms;
1430 ######################################
1432 ## Dontaudit attempts to connect to xserver
1433 ## over an unix stream socket.
1435 ## <param name="domain">
1437 ## Domain to not audit.
1441 interface(`xserver_dontaudit_stream_connect',`
1443 type xserver_t, xserver_tmp_t;
1446 stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
1449 ########################################
1451 ## Read X server temporary files.
1453 ## <param name="domain">
1455 ## Domain allowed access.
1459 interface(`xserver_read_tmp_files',`
1464 allow $1 xserver_tmp_t:file read_file_perms;
1465 files_search_tmp($1)
1468 ########################################
1470 ## Interface to provide X object permissions on a given X server to
1471 ## an X client domain. Gives the domain permission to read the
1472 ## virtual core keyboard and virtual core pointer devices.
1474 ## <param name="domain">
1476 ## Domain allowed access.
1480 interface(`xserver_manage_core_devices',`
1482 type xserver_t, root_xdrawable_t;
1483 class x_device all_x_device_perms;
1484 class x_pointer all_x_pointer_perms;
1485 class x_keyboard all_x_keyboard_perms;
1486 class x_screen all_x_screen_perms;
1487 class x_drawable { manage };
1489 class x_drawable { read manage setattr show };
1490 class x_resource { write read };
1493 allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
1494 allow $1 xserver_t:{ x_screen } setattr;
1496 allow $1 x_domain:x_drawable { read manage setattr show };
1497 allow $1 x_domain:x_resource { write read };
1498 allow $1 root_xdrawable_t:x_drawable { manage read };
1501 ########################################
1503 ## Interface to provide X object permissions on a given X server to
1504 ## an X client domain. Gives the domain complete control over the
1507 ## <param name="domain">
1509 ## Domain allowed access.
1513 interface(`xserver_unconfined',`
1515 attribute x_domain, xserver_unconfined_type;
1518 typeattribute $1 x_domain;
1519 typeattribute $1 xserver_unconfined_type;
1522 ########################################
1524 ## Dontaudit append to .xsession-errors file
1526 ## <param name="domain">
1528 ## Domain to not audit
1532 interface(`xserver_dontaudit_append_xdm_home_files',`
1537 dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
1539 tunable_policy(`use_nfs_home_dirs',`
1540 fs_dontaudit_rw_nfs_files($1)
1543 tunable_policy(`use_samba_home_dirs',`
1544 fs_dontaudit_rw_cifs_files($1)
1548 ########################################
1550 ## append to .xsession-errors file
1552 ## <param name="domain">
1554 ## Domain to not audit
1558 interface(`xserver_append_xdm_home_files',`
1560 type xdm_home_t, xserver_tmp_t;
1563 allow $1 xdm_home_t:file append_file_perms;
1564 allow $1 xserver_tmp_t:file append_file_perms;
1566 tunable_policy(`use_nfs_home_dirs',`
1567 fs_append_nfs_files($1)
1570 tunable_policy(`use_samba_home_dirs',`
1571 fs_append_cifs_files($1)
1575 #######################################
1577 ## Allow search the xdm_spool files
1579 ## <param name="domain">
1581 ## Domain allowed access.
1585 interface(`xserver_xdm_search_spool',`
1590 files_search_spool($1)
1591 search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
1594 ######################################
1596 ## Allow read the xdm_spool files
1598 ## <param name="domain">
1600 ## Domain allowed access.
1604 interface(`xserver_xdm_read_spool',`
1609 files_search_spool($1)
1610 read_files_pattern($1, xdm_spool_t, xdm_spool_t)
1613 ########################################
1615 ## Manage the xdm_spool files
1617 ## <param name="domain">
1619 ## Domain allowed access.
1623 interface(`xserver_xdm_manage_spool',`
1628 files_search_spool($1)
1629 manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
1632 ########################################
1634 ## Send and receive messages from
1637 ## <param name="domain">
1639 ## Domain allowed access.
1643 interface(`xserver_dbus_chat_xdm',`
1646 class dbus send_msg;
1649 allow $1 xdm_t:dbus send_msg;
1650 allow xdm_t $1:dbus send_msg;
1653 ########################################
1655 ## Read xserver files created in /var/run
1657 ## <param name="domain">
1659 ## Domain allowed access.
1663 interface(`xserver_read_pid',`
1665 type xserver_var_run_t;
1668 files_search_pids($1)
1669 read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1672 ########################################
1674 ## Execute xserver files created in /var/run
1676 ## <param name="domain">
1678 ## Domain allowed access.
1682 interface(`xserver_exec_pid',`
1684 type xserver_var_run_t;
1687 files_search_pids($1)
1688 exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1691 ########################################
1693 ## Write xserver files created in /var/run
1695 ## <param name="domain">
1697 ## Domain allowed access.
1701 interface(`xserver_write_pid',`
1703 type xserver_var_run_t;
1706 files_search_pids($1)
1707 write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1710 ########################################
1712 ## Allow append the xdm
1715 ## <param name="domain">
1717 ## Domain to not audit
1721 interface(`xserver_xdm_append_log',`
1724 attribute xdmhomewriter;
1727 typeattribute $1 xdmhomewriter;
1728 allow $1 xdm_log_t:file append_inherited_file_perms;
1731 ########################################
1733 ## Read a user Iceauthority domain.
1735 ## <param name="domain">
1737 ## Domain allowed access.
1741 interface(`xserver_read_user_iceauth',`
1743 type iceauth_home_t;
1746 # Read .Iceauthority file
1747 allow $1 iceauth_home_t:file read_file_perms;
1750 ########################################
1752 ## Read/write inherited user homedir fonts.
1754 ## <param name="domain">
1756 ## Domain allowed access.
1760 interface(`xserver_rw_inherited_user_fonts',`
1762 type user_fonts_t, user_fonts_config_t;
1765 allow $1 user_fonts_t:file rw_inherited_file_perms;
1766 allow $1 user_fonts_t:file read_lnk_file_perms;
1768 allow $1 user_fonts_config_t:file rw_inherited_file_perms;
1771 ########################################
1773 ## Search XDM var lib dirs.
1775 ## <param name="domain">
1777 ## Domain allowed access.
1781 interface(`xserver_search_xdm_lib',`
1786 allow $1 xdm_var_lib_t:dir search_dir_perms;
1789 ########################################
1791 ## Make an X executable an entrypoint for the specified domain.
1793 ## <param name="domain">
1795 ## The domain for which the shell is an entrypoint.
1799 interface(`xserver_entry_type',`
1801 type xserver_exec_t;
1804 domain_entry_file($1, xserver_exec_t)
1807 ########################################
1809 ## Execute xsever in the xserver domain, and
1810 ## allow the specified role the xserver domain.
1812 ## <param name="domain">
1814 ## Domain allowed access.
1817 ## <param name="role">
1819 ## The role to be allowed the xserver domain.
1824 interface(`xserver_run',`
1829 xserver_domtrans($1)
1830 role $2 types xserver_t;
1833 ########################################
1835 ## Execute xsever in the xserver domain, and
1836 ## allow the specified role the xserver domain.
1838 ## <param name="domain">
1840 ## Domain allowed access.
1843 ## <param name="role">
1845 ## The role to be allowed the xserver domain.
1850 interface(`xserver_run_xauth',`
1855 xserver_domtrans_xauth($1)
1856 role $2 types xauth_t;
1859 ########################################
1861 ## Read user homedir fonts.
1863 ## <param name="domain">
1865 ## Domain allowed access.
1870 interface(`xserver_read_home_fonts',`
1872 type user_fonts_t, user_fonts_config_t;
1875 list_dirs_pattern($1, user_fonts_t, user_fonts_t)
1876 read_files_pattern($1, user_fonts_t, user_fonts_t)
1877 read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
1879 read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
1882 ########################################
1884 ## Manage user homedir fonts.
1886 ## <param name="domain">
1888 ## Domain allowed access.
1893 interface(`xserver_manage_home_fonts',`
1895 type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
1898 manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
1899 manage_files_pattern($1, user_fonts_t, user_fonts_t)
1900 manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
1902 manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
1904 # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
1905 # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
1906 # userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
1909 ########################################
1911 ## Transition to xserver named content
1913 ## <param name="domain">
1915 ## Domain allowed access.
1919 interface(`xserver_filetrans_home_content',`
1921 type xdm_home_t, xauth_home_t, iceauth_home_t;
1922 type user_home_t, user_fonts_t, user_fonts_cache_t;
1923 type user_fonts_config_t;
1926 userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
1927 userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
1928 userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
1929 userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
1930 userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
1931 userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
1932 userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
1933 userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
1934 userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
1935 userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
1936 userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
1937 filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
1940 ########################################
1942 ## Create xserver content in admin home
1943 ## directory with a named file transition.
1945 ## <param name="domain">
1947 ## Domain allowed access.
1951 interface(`xserver_filetrans_admin_home_content',`
1953 type xdm_home_t, xauth_home_t, iceauth_home_t;
1954 type user_home_t, user_fonts_t, user_fonts_cache_t;
1955 type user_fonts_config_t;
1958 userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
1959 userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
1960 userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
1961 userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
1962 userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
1963 userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
1964 userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
1965 userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
1966 userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
1967 userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
1968 userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")