]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/xserver.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Remove module for gnome.
[people/stevee/selinux-policy.git] / policy / modules / services / xserver.if
1 ## <summary>X Windows Server</summary>
2
3 ########################################
4 ## <summary>
5 ## Rules required for using the X Windows server
6 ## and environment, for restricted users.
7 ## </summary>
8 ## <param name="role">
9 ## <summary>
10 ## Role allowed access.
11 ## </summary>
12 ## </param>
13 ## <param name="domain">
14 ## <summary>
15 ## Domain allowed access.
16 ## </summary>
17 ## </param>
18 #
19 interface(`xserver_restricted_role',`
20 gen_require(`
21 type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
22 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
23 type iceauth_t, iceauth_exec_t, iceauth_home_t;
24 type xauth_t, xauth_exec_t, xauth_home_t;
25 class dbus send_msg;
26 ')
27
28 role $1 types { xserver_t xauth_t iceauth_t };
29
30 # Xserver read/write client shm
31 allow xserver_t $2:fd use;
32 allow xserver_t $2:shm rw_shm_perms;
33
34 allow xserver_t $2:process { getpgid signal };
35
36 allow xserver_t $2:shm rw_shm_perms;
37
38 allow $2 user_fonts_t:dir list_dir_perms;
39 allow $2 user_fonts_t:file read_file_perms;
40 allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
41
42 allow $2 user_fonts_config_t:dir list_dir_perms;
43 allow $2 user_fonts_config_t:file read_file_perms;
44
45 manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
46 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
47
48 stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
49 allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
50 dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms;
51 files_search_tmp($2)
52
53 # Communicate via System V shared memory.
54 allow $2 xserver_t:shm r_shm_perms;
55 allow $2 xserver_tmpfs_t:file read_file_perms;
56
57 # allow ps to show iceauth
58 ps_process_pattern($2, iceauth_t)
59
60 domtrans_pattern($2, iceauth_exec_t, iceauth_t)
61
62 allow $2 iceauth_home_t:file read_file_perms;
63
64 domtrans_pattern($2, xauth_exec_t, xauth_t)
65
66 allow $2 xauth_t:process signal;
67
68 # allow ps to show xauth
69 ps_process_pattern($2, xauth_t)
70 allow $2 xserver_t:process signal;
71
72 allow $2 xauth_home_t:file read_file_perms;
73
74 # for when /tmp/.X11-unix is created by the system
75 allow $2 xdm_t:fd use;
76 allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
77 allow $2 xdm_tmp_t:dir search_dir_perms;
78 allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
79 dontaudit $2 xdm_t:tcp_socket { read write };
80 dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
81
82 allow $2 xdm_t:dbus send_msg;
83 allow xdm_t $2:dbus send_msg;
84
85 # Client read xserver shm
86 allow $2 xserver_t:fd use;
87 allow $2 xserver_tmpfs_t:file read_file_perms;
88
89 # Read /tmp/.X0-lock
90 allow $2 xserver_tmp_t:file read_inherited_file_perms;
91
92 dev_rw_xserver_misc($2)
93 dev_rw_power_management($2)
94 dev_read_input($2)
95 dev_read_misc($2)
96 dev_write_misc($2)
97 # open office is looking for the following
98 dev_getattr_agp_dev($2)
99
100 # GNOME checks for usb and other devices:
101 dev_rw_usbfs($2)
102
103 miscfiles_read_fonts($2)
104 miscfiles_setattr_fonts_cache_dirs($2)
105 miscfiles_read_hwdata($2)
106
107 xserver_common_x_domain_template(user, $2)
108 xserver_domtrans($2)
109 #xserver_unconfined($2)
110 xserver_xsession_entry_type($2)
111 xserver_dontaudit_write_log($2)
112 xserver_stream_connect_xdm($2)
113 # certain apps want to read xdm.pid file
114 xserver_read_xdm_pid($2)
115 # gnome-session creates socket under /tmp/.ICE-unix/
116 xserver_create_xdm_tmp_sockets($2)
117 # Needed for escd, remove if we get escd policy
118 xserver_manage_xdm_tmp_files($2)
119 xserver_read_xdm_etc_files($2)
120 xserver_xdm_append_log($2)
121
122 term_use_virtio_console($2)
123
124 modutils_run_insmod(xserver_t, $1)
125
126 # Client write xserver shm
127 tunable_policy(`allow_write_xshm',`
128 allow $2 xserver_t:shm rw_shm_perms;
129 allow $2 xserver_tmpfs_t:file rw_file_perms;
130 ')
131
132 tunable_policy(`user_direct_dri',`
133 dev_rw_dri($2)
134 ')
135 ')
136
137 ########################################
138 ## <summary>
139 ## Rules required for using the X Windows server
140 ## and environment.
141 ## </summary>
142 ## <param name="role">
143 ## <summary>
144 ## Role allowed access.
145 ## </summary>
146 ## </param>
147 ## <param name="domain">
148 ## <summary>
149 ## Domain allowed access.
150 ## </summary>
151 ## </param>
152 #
153 interface(`xserver_role',`
154 gen_require(`
155 type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
156 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
157 ')
158
159 xserver_restricted_role($1, $2)
160
161 # Communicate via System V shared memory.
162 allow $2 xserver_t:shm rw_shm_perms;
163 allow $2 xserver_tmpfs_t:file rw_file_perms;
164
165 allow $2 iceauth_home_t:file manage_file_perms;
166 allow $2 iceauth_home_t:file relabel_file_perms;
167
168 allow $2 xauth_home_t:file manage_file_perms;
169 allow $2 xauth_home_t:file relabel_file_perms;
170
171 mls_xwin_read_to_clearance($2)
172 manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
173 manage_files_pattern($2, user_fonts_t, user_fonts_t)
174 allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
175 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
176 relabel_files_pattern($2, user_fonts_t, user_fonts_t)
177
178 manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
179 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
180 relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
181 relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
182
183 manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
184 manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
185 relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
186 relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
187 ')
188
189 #######################################
190 ## <summary>
191 ## Create sessions on the X server, with read-only
192 ## access to the X server shared
193 ## memory segments.
194 ## </summary>
195 ## <param name="domain">
196 ## <summary>
197 ## Domain allowed access.
198 ## </summary>
199 ## </param>
200 ## <param name="tmpfs_type">
201 ## <summary>
202 ## The type of the domain SYSV tmpfs files.
203 ## </summary>
204 ## </param>
205 #
206 interface(`xserver_ro_session',`
207 gen_require(`
208 type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
209 ')
210
211 # Xserver read/write client shm
212 allow xserver_t $1:fd use;
213 allow xserver_t $1:shm rw_shm_perms;
214 allow xserver_t $2:file rw_file_perms;
215
216 # Connect to xserver
217 allow $1 xserver_t:unix_stream_socket connectto;
218 allow $1 xserver_t:process signal;
219
220 # Read /tmp/.X0-lock
221 allow $1 xserver_tmp_t:file read_file_perms;
222
223 # Client read xserver shm
224 allow $1 xserver_t:fd use;
225 allow $1 xserver_t:shm r_shm_perms;
226 allow $1 xserver_tmpfs_t:file read_file_perms;
227 ')
228
229 #######################################
230 ## <summary>
231 ## Create sessions on the X server, with read and write
232 ## access to the X server shared
233 ## memory segments.
234 ## </summary>
235 ## <param name="domain">
236 ## <summary>
237 ## Domain allowed access.
238 ## </summary>
239 ## </param>
240 ## <param name="tmpfs_type">
241 ## <summary>
242 ## The type of the domain SYSV tmpfs files.
243 ## </summary>
244 ## </param>
245 #
246 interface(`xserver_rw_session',`
247 gen_require(`
248 type xserver_t, xserver_tmpfs_t;
249 ')
250
251 xserver_ro_session($1, $2)
252 allow $1 xserver_t:shm rw_shm_perms;
253 allow $1 xserver_tmpfs_t:file rw_file_perms;
254 ')
255
256 #######################################
257 ## <summary>
258 ## Create non-drawing client sessions on an X server.
259 ## </summary>
260 ## <param name="domain">
261 ## <summary>
262 ## Domain allowed access.
263 ## </summary>
264 ## </param>
265 #
266 interface(`xserver_non_drawing_client',`
267 gen_require(`
268 class x_drawable { getattr get_property };
269 class x_extension { query use };
270 class x_gc { create setattr };
271 class x_property read;
272
273 type xserver_t, xdm_var_run_t;
274 type xextension_t, xproperty_t, root_xdrawable_t;
275 ')
276
277 allow $1 self:x_gc { create setattr };
278
279 allow $1 xdm_var_run_t:dir search_dir_perms;
280 allow $1 xserver_t:unix_stream_socket connectto;
281
282 allow $1 xextension_t:x_extension { query use };
283 allow $1 root_xdrawable_t:x_drawable { getattr get_property };
284 allow $1 xproperty_t:x_property read;
285 ')
286
287 #######################################
288 ## <summary>
289 ## Create full client sessions
290 ## on a user X server.
291 ## </summary>
292 ## <param name="domain">
293 ## <summary>
294 ## Domain allowed access.
295 ## </summary>
296 ## </param>
297 ## <param name="tmpfs_type">
298 ## <summary>
299 ## The type of the domain SYSV tmpfs files.
300 ## </summary>
301 ## </param>
302 #
303 interface(`xserver_user_client',`
304 refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
305 gen_require(`
306 type xdm_t, xdm_tmp_t;
307 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
308 ')
309
310 allow $1 self:shm create_shm_perms;
311 allow $1 self:unix_dgram_socket create_socket_perms;
312 allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
313
314 # Read .Xauthority file
315 allow $1 xauth_home_t:file read_file_perms;
316 allow $1 iceauth_home_t:file read_file_perms;
317
318 # for when /tmp/.X11-unix is created by the system
319 allow $1 xdm_t:fd use;
320 allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
321 allow $1 xdm_tmp_t:dir search_dir_perms;
322 allow $1 xdm_tmp_t:sock_file { read write };
323 dontaudit $1 xdm_t:tcp_socket { read write };
324
325 # Allow connections to X server.
326 files_search_tmp($1)
327
328 miscfiles_read_fonts($1)
329
330 userdom_search_user_home_dirs($1)
331 # for .xsession-errors
332 userdom_dontaudit_write_user_home_content_files($1)
333
334 xserver_ro_session($1,$2)
335 xserver_use_user_fonts($1)
336
337 xserver_read_xdm_tmp_files($1)
338
339 # Client write xserver shm
340 tunable_policy(`allow_write_xshm',`
341 allow $1 xserver_t:shm rw_shm_perms;
342 allow $1 xserver_tmpfs_t:file rw_file_perms;
343 ')
344 ')
345
346 #######################################
347 ## <summary>
348 ## Interface to provide X object permissions on a given X server to
349 ## an X client domain. Provides the minimal set required by a basic
350 ## X client application.
351 ## </summary>
352 ## <param name="prefix">
353 ## <summary>
354 ## The prefix of the X client domain (e.g., user
355 ## is the prefix for user_t).
356 ## </summary>
357 ## </param>
358 ## <param name="domain">
359 ## <summary>
360 ## Client domain allowed access.
361 ## </summary>
362 ## </param>
363 #
364 template(`xserver_common_x_domain_template',`
365 gen_require(`
366 type root_xdrawable_t, xdm_t, xserver_t;
367 type xproperty_t, $1_xproperty_t;
368 type xevent_t, client_xevent_t;
369 type input_xevent_t, $1_input_xevent_t;
370
371 attribute x_domain, input_xevent_type;
372 attribute xdrawable_type, xcolormap_type;
373
374 class x_drawable all_x_drawable_perms;
375 class x_property all_x_property_perms;
376 class x_event all_x_event_perms;
377 class x_synthetic_event all_x_synthetic_event_perms;
378 class x_client destroy;
379 class x_server manage;
380 class x_screen { saver_setattr saver_hide saver_show };
381 class x_pointer { get_property set_property manage };
382 class x_keyboard { read manage };
383 ')
384
385 ##############################
386 #
387 # Local Policy
388 #
389
390 # Type attributes
391 typeattribute $2 x_domain;
392 typeattribute $2 xdrawable_type, xcolormap_type;
393
394 # X Properties
395 # disable property transitions for the time being.
396 # type_transition $2 xproperty_t:x_property $1_xproperty_t;
397
398 # X Windows
399 # new windows have the domain type
400 type_transition $2 root_xdrawable_t:x_drawable $2;
401
402 # X Input
403 # distinguish input events
404 type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
405 # can send own events
406 allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
407 # can receive own events
408 allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
409 # can receive default events
410 allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
411 allow $2 xevent_t:{ x_event x_synthetic_event } receive;
412 # dont audit send failures
413 dontaudit $2 input_xevent_type:x_event send;
414
415 allow $2 xdm_t:x_drawable { hide read add_child manage };
416 allow $2 xdm_t:x_client destroy;
417
418 allow $2 root_xdrawable_t:x_drawable write;
419 allow $2 xserver_t:x_server manage;
420 allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
421 allow $2 xserver_t:x_pointer { get_property set_property manage };
422 allow $2 xserver_t:x_keyboard { read manage };
423 ')
424
425 #######################################
426 ## <summary>
427 ## Template for creating the set of types used
428 ## in an X windows domain.
429 ## </summary>
430 ## <param name="prefix">
431 ## <summary>
432 ## The prefix of the X client domain (e.g., user
433 ## is the prefix for user_t).
434 ## </summary>
435 ## </param>
436 #
437 template(`xserver_object_types_template',`
438 gen_require(`
439 attribute xproperty_type, input_xevent_type, xevent_type;
440 ')
441
442 ##############################
443 #
444 # Declarations
445 #
446
447 # Types for properties
448 type $1_xproperty_t, xproperty_type;
449 ubac_constrained($1_xproperty_t)
450
451 # Types for events
452 type $1_input_xevent_t, input_xevent_type, xevent_type;
453 ubac_constrained($1_input_xevent_t)
454 ')
455
456 #######################################
457 ## <summary>
458 ## Interface to provide X object permissions on a given X server to
459 ## an X client domain. Provides the minimal set required by a basic
460 ## X client application.
461 ## </summary>
462 ## <param name="prefix">
463 ## <summary>
464 ## The prefix of the X client domain (e.g., user
465 ## is the prefix for user_t).
466 ## </summary>
467 ## </param>
468 ## <param name="domain">
469 ## <summary>
470 ## Client domain allowed access.
471 ## </summary>
472 ## </param>
473 ## <param name="tmpfs_type">
474 ## <summary>
475 ## The type of the domain SYSV tmpfs files.
476 ## </summary>
477 ## </param>
478 #
479 template(`xserver_user_x_domain_template',`
480 gen_require(`
481 type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
482 type xdm_home_t;
483 type xauth_home_t, iceauth_home_t, xserver_t;
484 ')
485
486 allow $2 self:shm create_shm_perms;
487 allow $2 self:unix_dgram_socket create_socket_perms;
488 allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
489
490 # Read .Xauthority file
491 allow $2 xauth_home_t:file read_file_perms;
492 allow $2 iceauth_home_t:file read_file_perms;
493
494 userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
495 userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
496 userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
497 userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
498 userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
499 userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
500
501 # for when /tmp/.X11-unix is created by the system
502 allow $2 xdm_t:fd use;
503 allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
504 allow $2 xdm_tmp_t:dir search_dir_perms;
505 allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
506 dontaudit $2 xdm_t:tcp_socket { read write };
507
508 # Allow connections to X server.
509 files_search_tmp($2)
510
511 miscfiles_read_fonts($2)
512
513 userdom_search_user_home_dirs($2)
514 # for .xsession-errors
515 userdom_dontaudit_write_user_home_content_files($2)
516
517 xserver_ro_session($2, $3)
518 xserver_use_user_fonts($2)
519
520 xserver_read_xdm_tmp_files($2)
521 xserver_read_xdm_pid($2)
522 xserver_xdm_append_log($2)
523
524 # X object manager
525 xserver_object_types_template($1)
526 xserver_common_x_domain_template($1, $2)
527
528 # Client write xserver shm
529 tunable_policy(`allow_write_xshm',`
530 allow $2 xserver_t:shm rw_shm_perms;
531 allow $2 xserver_tmpfs_t:file rw_file_perms;
532 ')
533
534 tunable_policy(`user_direct_dri',`
535 dev_rw_dri($2)
536 ')
537 ')
538
539 ########################################
540 ## <summary>
541 ## Read user fonts, user font configuration,
542 ## and manage the user font cache.
543 ## </summary>
544 ## <desc>
545 ## <p>
546 ## Read user fonts, user font configuration,
547 ## and manage the user font cache.
548 ## </p>
549 ## <p>
550 ## This is a templated interface, and should only
551 ## be called from a per-userdomain template.
552 ## </p>
553 ## </desc>
554 ## <param name="domain">
555 ## <summary>
556 ## Domain allowed access.
557 ## </summary>
558 ## </param>
559 #
560 interface(`xserver_use_user_fonts',`
561 gen_require(`
562 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
563 ')
564
565 # Read per user fonts
566 allow $1 user_fonts_t:dir list_dir_perms;
567 allow $1 user_fonts_t:file read_file_perms;
568 allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
569
570 # Manipulate the global font cache
571 manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
572 manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
573
574 # Read per user font config
575 allow $1 user_fonts_config_t:dir list_dir_perms;
576 allow $1 user_fonts_config_t:file read_file_perms;
577
578 userdom_search_user_home_dirs($1)
579 ')
580
581 ########################################
582 ## <summary>
583 ## Transition to the Xauthority domain.
584 ## </summary>
585 ## <param name="domain">
586 ## <summary>
587 ## Domain allowed to transition.
588 ## </summary>
589 ## </param>
590 #
591 interface(`xserver_domtrans_xauth',`
592 gen_require(`
593 type xauth_t, xauth_exec_t;
594 ')
595
596 domtrans_pattern($1, xauth_exec_t, xauth_t)
597 ')
598
599 ########################################
600 ## <summary>
601 ## Dontaudit exec of Xauthority program.
602 ## </summary>
603 ## <param name="domain">
604 ## <summary>
605 ## Domain to not audit.
606 ## </summary>
607 ## </param>
608 #
609 interface(`xserver_dontaudit_exec_xauth',`
610 gen_require(`
611 type xauth_exec_t;
612 ')
613
614 dontaudit $1 xauth_exec_t:file execute;
615 ')
616
617 ########################################
618 ## <summary>
619 ## Create a Xauthority file in the user home directory.
620 ## </summary>
621 ## <param name="domain">
622 ## <summary>
623 ## Domain allowed access.
624 ## </summary>
625 ## </param>
626 #
627 interface(`xserver_user_home_dir_filetrans_user_xauth',`
628 gen_require(`
629 type xauth_home_t;
630 ')
631
632 userdom_user_home_dir_filetrans($1, xauth_home_t, file)
633 ')
634
635 ########################################
636 ## <summary>
637 ## Read all users fonts, user font configurations,
638 ## and manage all users font caches.
639 ## </summary>
640 ## <param name="domain">
641 ## <summary>
642 ## Domain allowed access.
643 ## </summary>
644 ## </param>
645 #
646 interface(`xserver_use_all_users_fonts',`
647 refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
648 xserver_use_user_fonts($1)
649 ')
650
651 ########################################
652 ## <summary>
653 ## Read all users .Xauthority.
654 ## </summary>
655 ## <param name="domain">
656 ## <summary>
657 ## Domain allowed access.
658 ## </summary>
659 ## </param>
660 #
661 interface(`xserver_read_user_xauth',`
662 gen_require(`
663 type xauth_home_t;
664 ')
665
666 allow $1 xauth_home_t:file read_file_perms;
667 userdom_search_user_home_dirs($1)
668 xserver_read_xdm_pid($1)
669 ')
670
671 ########################################
672 ## <summary>
673 ## Set the attributes of the X windows console named pipes.
674 ## </summary>
675 ## <param name="domain">
676 ## <summary>
677 ## Domain allowed access.
678 ## </summary>
679 ## </param>
680 #
681 interface(`xserver_setattr_console_pipes',`
682 gen_require(`
683 type xconsole_device_t;
684 ')
685
686 allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
687 ')
688
689 ########################################
690 ## <summary>
691 ## Read and write the X windows console named pipe.
692 ## </summary>
693 ## <param name="domain">
694 ## <summary>
695 ## Domain allowed access.
696 ## </summary>
697 ## </param>
698 #
699 interface(`xserver_rw_console',`
700 gen_require(`
701 type xconsole_device_t;
702 ')
703
704 allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
705 ')
706
707 ########################################
708 ## <summary>
709 ## Read XDM state files.
710 ## </summary>
711 ## <param name="domain">
712 ## <summary>
713 ## Domain allowed access.
714 ## </summary>
715 ## </param>
716 #
717 interface(`xserver_read_state_xdm',`
718 gen_require(`
719 type xdm_t;
720 ')
721
722 kernel_search_proc($1)
723 ps_process_pattern($1, xdm_t)
724 ')
725
726 ########################################
727 ## <summary>
728 ## Use file descriptors for xdm.
729 ## </summary>
730 ## <param name="domain">
731 ## <summary>
732 ## Domain allowed access.
733 ## </summary>
734 ## </param>
735 #
736 interface(`xserver_use_xdm_fds',`
737 gen_require(`
738 type xdm_t;
739 ')
740
741 allow $1 xdm_t:fd use;
742 ')
743
744 ########################################
745 ## <summary>
746 ## Do not audit attempts to inherit
747 ## XDM file descriptors.
748 ## </summary>
749 ## <param name="domain">
750 ## <summary>
751 ## Domain to not audit.
752 ## </summary>
753 ## </param>
754 #
755 interface(`xserver_dontaudit_use_xdm_fds',`
756 gen_require(`
757 type xdm_t;
758 ')
759
760 dontaudit $1 xdm_t:fd use;
761 ')
762
763 ########################################
764 ## <summary>
765 ## Read and write XDM unnamed pipes.
766 ## </summary>
767 ## <param name="domain">
768 ## <summary>
769 ## Domain allowed access.
770 ## </summary>
771 ## </param>
772 #
773 interface(`xserver_rw_xdm_pipes',`
774 gen_require(`
775 type xdm_t;
776 ')
777
778 allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
779 ')
780
781 ########################################
782 ## <summary>
783 ## Do not audit attempts to read and write
784 ## XDM unnamed pipes.
785 ## </summary>
786 ## <param name="domain">
787 ## <summary>
788 ## Domain to not audit.
789 ## </summary>
790 ## </param>
791 #
792 interface(`xserver_dontaudit_rw_xdm_pipes',`
793 gen_require(`
794 type xdm_t;
795 ')
796
797 dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
798 ')
799
800 ########################################
801 ## <summary>
802 ## Connect to XDM over a unix domain
803 ## stream socket.
804 ## </summary>
805 ## <param name="domain">
806 ## <summary>
807 ## Domain allowed access.
808 ## </summary>
809 ## </param>
810 #
811 interface(`xserver_stream_connect_xdm',`
812 gen_require(`
813 type xdm_t, xdm_tmp_t, xdm_var_run_t;
814 ')
815
816 files_search_tmp($1)
817 files_search_pids($1)
818 stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
819 ')
820
821 ########################################
822 ## <summary>
823 ## Read XDM files in user home directories.
824 ## </summary>
825 ## <param name="domain">
826 ## <summary>
827 ## Domain allowed access.
828 ## </summary>
829 ## </param>
830 #
831 interface(`xserver_read_xdm_home_files',`
832 gen_require(`
833 type xdm_home_t;
834 ')
835
836 userdom_search_user_home_dirs($1)
837 allow $1 xdm_home_t:file read_file_perms;
838 ')
839
840 ########################################
841 ## <summary>
842 ## Read xdm-writable configuration files.
843 ## </summary>
844 ## <param name="domain">
845 ## <summary>
846 ## Domain allowed access.
847 ## </summary>
848 ## </param>
849 #
850 interface(`xserver_read_xdm_rw_config',`
851 gen_require(`
852 type xdm_rw_etc_t;
853 ')
854
855 files_search_etc($1)
856 allow $1 xdm_rw_etc_t:file read_file_perms;
857 ')
858
859 ########################################
860 ## <summary>
861 ## Search XDM temporary directories.
862 ## </summary>
863 ## <param name="domain">
864 ## <summary>
865 ## Domain allowed access.
866 ## </summary>
867 ## </param>
868 #
869 interface(`xserver_search_xdm_tmp_dirs',`
870 gen_require(`
871 type xdm_tmp_t;
872 ')
873
874 files_search_tmp($1)
875 allow $1 xdm_tmp_t:dir search_dir_perms;
876 ')
877
878 ########################################
879 ## <summary>
880 ## Set the attributes of XDM temporary directories.
881 ## </summary>
882 ## <param name="domain">
883 ## <summary>
884 ## Domain allowed access.
885 ## </summary>
886 ## </param>
887 #
888 interface(`xserver_setattr_xdm_tmp_dirs',`
889 gen_require(`
890 type xdm_tmp_t;
891 ')
892
893 allow $1 xdm_tmp_t:dir setattr_dir_perms;
894 ')
895
896 ########################################
897 ## <summary>
898 ## Create a named socket in a XDM
899 ## temporary directory.
900 ## </summary>
901 ## <param name="domain">
902 ## <summary>
903 ## Domain allowed access.
904 ## </summary>
905 ## </param>
906 #
907 interface(`xserver_create_xdm_tmp_sockets',`
908 gen_require(`
909 type xdm_tmp_t;
910 ')
911
912 files_search_tmp($1)
913 allow $1 xdm_tmp_t:dir list_dir_perms;
914 create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
915 ')
916
917 ########################################
918 ## <summary>
919 ## Read XDM pid files.
920 ## </summary>
921 ## <param name="domain">
922 ## <summary>
923 ## Domain allowed access.
924 ## </summary>
925 ## </param>
926 #
927 interface(`xserver_read_xdm_pid',`
928 gen_require(`
929 type xdm_var_run_t;
930 ')
931
932 files_search_pids($1)
933 read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
934 ')
935
936 ######################################
937 ## <summary>
938 ## Dontaudit Read XDM pid files.
939 ## </summary>
940 ## <param name="domain">
941 ## <summary>
942 ## Domain to not audit.
943 ## </summary>
944 ## </param>
945 #
946 interface(`xserver_dontaudit_read_xdm_pid',`
947 gen_require(`
948 type xdm_var_run_t;
949 ')
950
951 dontaudit $1 xdm_var_run_t:dir search_dir_perms;
952 dontaudit $1 xdm_var_run_t:file read_file_perms;
953 ')
954
955 ########################################
956 ## <summary>
957 ## Read XDM var lib files.
958 ## </summary>
959 ## <param name="domain">
960 ## <summary>
961 ## Domain allowed access.
962 ## </summary>
963 ## </param>
964 #
965 interface(`xserver_read_xdm_lib_files',`
966 gen_require(`
967 type xdm_var_lib_t;
968 ')
969
970 allow $1 xdm_var_lib_t:file read_file_perms;
971 ')
972
973 ########################################
974 ## <summary>
975 ## Read inherited XDM var lib files.
976 ## </summary>
977 ## <param name="domain">
978 ## <summary>
979 ## Domain allowed access.
980 ## </summary>
981 ## </param>
982 #
983 interface(`xserver_read_inherited_xdm_lib_files',`
984 gen_require(`
985 type xdm_var_lib_t;
986 ')
987
988 allow $1 xdm_var_lib_t:file read_inherited_file_perms;
989 ')
990
991 ########################################
992 ## <summary>
993 ## Make an X session script an entrypoint for the specified domain.
994 ## </summary>
995 ## <param name="domain">
996 ## <summary>
997 ## The domain for which the shell is an entrypoint.
998 ## </summary>
999 ## </param>
1000 #
1001 interface(`xserver_xsession_entry_type',`
1002 gen_require(`
1003 type xsession_exec_t;
1004 ')
1005
1006 domain_entry_file($1, xsession_exec_t)
1007 ')
1008
1009 ########################################
1010 ## <summary>
1011 ## Execute an X session in the target domain. This
1012 ## is an explicit transition, requiring the
1013 ## caller to use setexeccon().
1014 ## </summary>
1015 ## <desc>
1016 ## <p>
1017 ## Execute an Xsession in the target domain. This
1018 ## is an explicit transition, requiring the
1019 ## caller to use setexeccon().
1020 ## </p>
1021 ## <p>
1022 ## No interprocess communication (signals, pipes,
1023 ## etc.) is provided by this interface since
1024 ## the domains are not owned by this module.
1025 ## </p>
1026 ## </desc>
1027 ## <param name="domain">
1028 ## <summary>
1029 ## Domain allowed to transition.
1030 ## </summary>
1031 ## </param>
1032 ## <param name="target_domain">
1033 ## <summary>
1034 ## The type of the shell process.
1035 ## </summary>
1036 ## </param>
1037 #
1038 interface(`xserver_xsession_spec_domtrans',`
1039 gen_require(`
1040 type xsession_exec_t;
1041 ')
1042
1043 domain_trans($1, xsession_exec_t, $2)
1044 ')
1045
1046 ########################################
1047 ## <summary>
1048 ## Get the attributes of X server logs.
1049 ## </summary>
1050 ## <param name="domain">
1051 ## <summary>
1052 ## Domain allowed access.
1053 ## </summary>
1054 ## </param>
1055 #
1056 interface(`xserver_getattr_log',`
1057 gen_require(`
1058 type xserver_log_t;
1059 ')
1060
1061 logging_search_logs($1)
1062 allow $1 xserver_log_t:file getattr_file_perms;
1063 ')
1064
1065 ########################################
1066 ## <summary>
1067 ## Do not audit attempts to write the X server
1068 ## log files.
1069 ## </summary>
1070 ## <param name="domain">
1071 ## <summary>
1072 ## Domain to not audit.
1073 ## </summary>
1074 ## </param>
1075 #
1076 interface(`xserver_dontaudit_write_log',`
1077 gen_require(`
1078 type xserver_log_t;
1079 ')
1080
1081 dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
1082 ')
1083
1084 ########################################
1085 ## <summary>
1086 ## Delete X server log files.
1087 ## </summary>
1088 ## <param name="domain">
1089 ## <summary>
1090 ## Domain allowed access.
1091 ## </summary>
1092 ## </param>
1093 #
1094 interface(`xserver_delete_log',`
1095 gen_require(`
1096 type xserver_log_t;
1097 ')
1098
1099 logging_search_logs($1)
1100 allow $1 xserver_log_t:dir list_dir_perms;
1101 delete_files_pattern($1, xserver_log_t, xserver_log_t)
1102 delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
1103 ')
1104
1105 ########################################
1106 ## <summary>
1107 ## Read X keyboard extension libraries.
1108 ## </summary>
1109 ## <param name="domain">
1110 ## <summary>
1111 ## Domain allowed access.
1112 ## </summary>
1113 ## </param>
1114 #
1115 interface(`xserver_read_xkb_libs',`
1116 gen_require(`
1117 type xkb_var_lib_t;
1118 ')
1119
1120 files_search_var_lib($1)
1121 allow $1 xkb_var_lib_t:dir list_dir_perms;
1122 read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
1123 read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
1124 ')
1125
1126 ########################################
1127 ## <summary>
1128 ## Read xdm config files.
1129 ## </summary>
1130 ## <param name="domain">
1131 ## <summary>
1132 ## Domain to not audit
1133 ## </summary>
1134 ## </param>
1135 #
1136 interface(`xserver_read_xdm_etc_files',`
1137 gen_require(`
1138 type xdm_etc_t;
1139 ')
1140
1141 files_search_etc($1)
1142 read_files_pattern($1, xdm_etc_t, xdm_etc_t)
1143 read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
1144 ')
1145
1146 ########################################
1147 ## <summary>
1148 ## Manage xdm config files.
1149 ## </summary>
1150 ## <param name="domain">
1151 ## <summary>
1152 ## Domain to not audit
1153 ## </summary>
1154 ## </param>
1155 #
1156 interface(`xserver_manage_xdm_etc_files',`
1157 gen_require(`
1158 type xdm_etc_t;
1159 ')
1160
1161 files_search_etc($1)
1162 manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
1163 ')
1164
1165 ########################################
1166 ## <summary>
1167 ## Read xdm temporary files.
1168 ## </summary>
1169 ## <param name="domain">
1170 ## <summary>
1171 ## Domain allowed access.
1172 ## </summary>
1173 ## </param>
1174 #
1175 interface(`xserver_read_xdm_tmp_files',`
1176 gen_require(`
1177 type xdm_tmp_t;
1178 ')
1179
1180 files_search_tmp($1)
1181 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
1182 ')
1183
1184 ########################################
1185 ## <summary>
1186 ## Do not audit attempts to read xdm temporary files.
1187 ## </summary>
1188 ## <param name="domain">
1189 ## <summary>
1190 ## Domain to not audit.
1191 ## </summary>
1192 ## </param>
1193 #
1194 interface(`xserver_dontaudit_read_xdm_tmp_files',`
1195 gen_require(`
1196 type xdm_tmp_t;
1197 ')
1198
1199 dontaudit $1 xdm_tmp_t:dir search_dir_perms;
1200 dontaudit $1 xdm_tmp_t:file read_file_perms;
1201 ')
1202
1203 ########################################
1204 ## <summary>
1205 ## Read write xdm temporary files.
1206 ## </summary>
1207 ## <param name="domain">
1208 ## <summary>
1209 ## Domain allowed access.
1210 ## </summary>
1211 ## </param>
1212 #
1213 interface(`xserver_rw_xdm_tmp_files',`
1214 gen_require(`
1215 type xdm_tmp_t;
1216 ')
1217
1218 allow $1 xdm_tmp_t:dir search_dir_perms;
1219 allow $1 xdm_tmp_t:file rw_file_perms;
1220 ')
1221
1222 ########################################
1223 ## <summary>
1224 ## Create, read, write, and delete xdm temporary files.
1225 ## </summary>
1226 ## <param name="domain">
1227 ## <summary>
1228 ## Domain allowed access.
1229 ## </summary>
1230 ## </param>
1231 #
1232 interface(`xserver_manage_xdm_tmp_files',`
1233 gen_require(`
1234 type xdm_tmp_t;
1235 ')
1236
1237 manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
1238 ')
1239
1240 ########################################
1241 ## <summary>
1242 ## Create, read, write, and delete xdm temporary dirs.
1243 ## </summary>
1244 ## <param name="domain">
1245 ## <summary>
1246 ## Domain allowed access.
1247 ## </summary>
1248 ## </param>
1249 #
1250 interface(`xserver_relabel_xdm_tmp_dirs',`
1251 gen_require(`
1252 type xdm_tmp_t;
1253 ')
1254
1255 allow $1 xdm_tmp_t:dir relabel_dir_perms;
1256 ')
1257
1258 ########################################
1259 ## <summary>
1260 ## Create, read, write, and delete xdm temporary dirs.
1261 ## </summary>
1262 ## <param name="domain">
1263 ## <summary>
1264 ## Domain allowed access.
1265 ## </summary>
1266 ## </param>
1267 #
1268 interface(`xserver_manage_xdm_tmp_dirs',`
1269 gen_require(`
1270 type xdm_tmp_t;
1271 ')
1272
1273 manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
1274 ')
1275
1276 ########################################
1277 ## <summary>
1278 ## Do not audit attempts to get the attributes of
1279 ## xdm temporary named sockets.
1280 ## </summary>
1281 ## <param name="domain">
1282 ## <summary>
1283 ## Domain to not audit.
1284 ## </summary>
1285 ## </param>
1286 #
1287 interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
1288 gen_require(`
1289 type xdm_tmp_t;
1290 ')
1291
1292 dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
1293 ')
1294
1295 ########################################
1296 ## <summary>
1297 ## Execute the X server in the X server domain.
1298 ## </summary>
1299 ## <param name="domain">
1300 ## <summary>
1301 ## Domain allowed to transition.
1302 ## </summary>
1303 ## </param>
1304 #
1305 interface(`xserver_domtrans',`
1306 gen_require(`
1307 type xserver_t, xserver_exec_t;
1308 ')
1309
1310 allow $1 xserver_t:process siginh;
1311 domtrans_pattern($1, xserver_exec_t, xserver_t)
1312
1313 allow xserver_t $1:process getpgid;
1314 ')
1315
1316 ########################################
1317 ## <summary>
1318 ## Signal X servers
1319 ## </summary>
1320 ## <param name="domain">
1321 ## <summary>
1322 ## Domain allowed access.
1323 ## </summary>
1324 ## </param>
1325 #
1326 interface(`xserver_signal',`
1327 gen_require(`
1328 type xserver_t;
1329 ')
1330
1331 allow $1 xserver_t:process signal;
1332 ')
1333
1334 ########################################
1335 ## <summary>
1336 ## Kill X servers
1337 ## </summary>
1338 ## <param name="domain">
1339 ## <summary>
1340 ## Domain allowed access.
1341 ## </summary>
1342 ## </param>
1343 #
1344 interface(`xserver_kill',`
1345 gen_require(`
1346 type xserver_t;
1347 ')
1348
1349 allow $1 xserver_t:process sigkill;
1350 ')
1351
1352 ########################################
1353 ## <summary>
1354 ## Read and write X server Sys V Shared
1355 ## memory segments.
1356 ## </summary>
1357 ## <param name="domain">
1358 ## <summary>
1359 ## Domain allowed access.
1360 ## </summary>
1361 ## </param>
1362 #
1363 interface(`xserver_rw_shm',`
1364 gen_require(`
1365 type xserver_t;
1366 ')
1367
1368 allow $1 xserver_t:shm rw_shm_perms;
1369 ')
1370
1371 ########################################
1372 ## <summary>
1373 ## Do not audit attempts to read and write to
1374 ## X server sockets.
1375 ## </summary>
1376 ## <param name="domain">
1377 ## <summary>
1378 ## Domain to not audit.
1379 ## </summary>
1380 ## </param>
1381 #
1382 interface(`xserver_dontaudit_rw_tcp_sockets',`
1383 gen_require(`
1384 type xserver_t;
1385 ')
1386
1387 dontaudit $1 xserver_t:tcp_socket { read write };
1388 ')
1389
1390 ########################################
1391 ## <summary>
1392 ## Do not audit attempts to read and write X server
1393 ## unix domain stream sockets.
1394 ## </summary>
1395 ## <param name="domain">
1396 ## <summary>
1397 ## Domain to not audit.
1398 ## </summary>
1399 ## </param>
1400 #
1401 interface(`xserver_dontaudit_rw_stream_sockets',`
1402 gen_require(`
1403 type xserver_t;
1404 ')
1405
1406 dontaudit $1 xserver_t:unix_stream_socket { read write };
1407 ')
1408
1409 ########################################
1410 ## <summary>
1411 ## Connect to the X server over a unix domain
1412 ## stream socket.
1413 ## </summary>
1414 ## <param name="domain">
1415 ## <summary>
1416 ## Domain allowed access.
1417 ## </summary>
1418 ## </param>
1419 #
1420 interface(`xserver_stream_connect',`
1421 gen_require(`
1422 type xserver_t, xserver_tmp_t;
1423 ')
1424
1425 files_search_tmp($1)
1426 stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
1427 allow xserver_t $1:shm rw_shm_perms;
1428 ')
1429
1430 ######################################
1431 ## <summary>
1432 ## Dontaudit attempts to connect to xserver
1433 ## over an unix stream socket.
1434 ## </summary>
1435 ## <param name="domain">
1436 ## <summary>
1437 ## Domain to not audit.
1438 ## </summary>
1439 ## </param>
1440 #
1441 interface(`xserver_dontaudit_stream_connect',`
1442 gen_require(`
1443 type xserver_t, xserver_tmp_t;
1444 ')
1445
1446 stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
1447 ')
1448
1449 ########################################
1450 ## <summary>
1451 ## Read X server temporary files.
1452 ## </summary>
1453 ## <param name="domain">
1454 ## <summary>
1455 ## Domain allowed access.
1456 ## </summary>
1457 ## </param>
1458 #
1459 interface(`xserver_read_tmp_files',`
1460 gen_require(`
1461 type xserver_tmp_t;
1462 ')
1463
1464 allow $1 xserver_tmp_t:file read_file_perms;
1465 files_search_tmp($1)
1466 ')
1467
1468 ########################################
1469 ## <summary>
1470 ## Interface to provide X object permissions on a given X server to
1471 ## an X client domain. Gives the domain permission to read the
1472 ## virtual core keyboard and virtual core pointer devices.
1473 ## </summary>
1474 ## <param name="domain">
1475 ## <summary>
1476 ## Domain allowed access.
1477 ## </summary>
1478 ## </param>
1479 #
1480 interface(`xserver_manage_core_devices',`
1481 gen_require(`
1482 type xserver_t, root_xdrawable_t;
1483 class x_device all_x_device_perms;
1484 class x_pointer all_x_pointer_perms;
1485 class x_keyboard all_x_keyboard_perms;
1486 class x_screen all_x_screen_perms;
1487 class x_drawable { manage };
1488 attribute x_domain;
1489 class x_drawable { read manage setattr show };
1490 class x_resource { write read };
1491 ')
1492
1493 allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
1494 allow $1 xserver_t:{ x_screen } setattr;
1495
1496 allow $1 x_domain:x_drawable { read manage setattr show };
1497 allow $1 x_domain:x_resource { write read };
1498 allow $1 root_xdrawable_t:x_drawable { manage read };
1499 ')
1500
1501 ########################################
1502 ## <summary>
1503 ## Interface to provide X object permissions on a given X server to
1504 ## an X client domain. Gives the domain complete control over the
1505 ## display.
1506 ## </summary>
1507 ## <param name="domain">
1508 ## <summary>
1509 ## Domain allowed access.
1510 ## </summary>
1511 ## </param>
1512 #
1513 interface(`xserver_unconfined',`
1514 gen_require(`
1515 attribute x_domain, xserver_unconfined_type;
1516 ')
1517
1518 typeattribute $1 x_domain;
1519 typeattribute $1 xserver_unconfined_type;
1520 ')
1521
1522 ########################################
1523 ## <summary>
1524 ## Dontaudit append to .xsession-errors file
1525 ## </summary>
1526 ## <param name="domain">
1527 ## <summary>
1528 ## Domain to not audit
1529 ## </summary>
1530 ## </param>
1531 #
1532 interface(`xserver_dontaudit_append_xdm_home_files',`
1533 gen_require(`
1534 type xdm_home_t;
1535 ')
1536
1537 dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
1538
1539 tunable_policy(`use_nfs_home_dirs',`
1540 fs_dontaudit_rw_nfs_files($1)
1541 ')
1542
1543 tunable_policy(`use_samba_home_dirs',`
1544 fs_dontaudit_rw_cifs_files($1)
1545 ')
1546 ')
1547
1548 ########################################
1549 ## <summary>
1550 ## append to .xsession-errors file
1551 ## </summary>
1552 ## <param name="domain">
1553 ## <summary>
1554 ## Domain to not audit
1555 ## </summary>
1556 ## </param>
1557 #
1558 interface(`xserver_append_xdm_home_files',`
1559 gen_require(`
1560 type xdm_home_t, xserver_tmp_t;
1561 ')
1562
1563 allow $1 xdm_home_t:file append_file_perms;
1564 allow $1 xserver_tmp_t:file append_file_perms;
1565
1566 tunable_policy(`use_nfs_home_dirs',`
1567 fs_append_nfs_files($1)
1568 ')
1569
1570 tunable_policy(`use_samba_home_dirs',`
1571 fs_append_cifs_files($1)
1572 ')
1573 ')
1574
1575 #######################################
1576 ## <summary>
1577 ## Allow search the xdm_spool files
1578 ## </summary>
1579 ## <param name="domain">
1580 ## <summary>
1581 ## Domain allowed access.
1582 ## </summary>
1583 ## </param>
1584 #
1585 interface(`xserver_xdm_search_spool',`
1586 gen_require(`
1587 type xdm_spool_t;
1588 ')
1589
1590 files_search_spool($1)
1591 search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
1592 ')
1593
1594 ######################################
1595 ## <summary>
1596 ## Allow read the xdm_spool files
1597 ## </summary>
1598 ## <param name="domain">
1599 ## <summary>
1600 ## Domain allowed access.
1601 ## </summary>
1602 ## </param>
1603 #
1604 interface(`xserver_xdm_read_spool',`
1605 gen_require(`
1606 type xdm_spool_t;
1607 ')
1608
1609 files_search_spool($1)
1610 read_files_pattern($1, xdm_spool_t, xdm_spool_t)
1611 ')
1612
1613 ########################################
1614 ## <summary>
1615 ## Manage the xdm_spool files
1616 ## </summary>
1617 ## <param name="domain">
1618 ## <summary>
1619 ## Domain allowed access.
1620 ## </summary>
1621 ## </param>
1622 #
1623 interface(`xserver_xdm_manage_spool',`
1624 gen_require(`
1625 type xdm_spool_t;
1626 ')
1627
1628 files_search_spool($1)
1629 manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
1630 ')
1631
1632 ########################################
1633 ## <summary>
1634 ## Send and receive messages from
1635 ## xdm over dbus.
1636 ## </summary>
1637 ## <param name="domain">
1638 ## <summary>
1639 ## Domain allowed access.
1640 ## </summary>
1641 ## </param>
1642 #
1643 interface(`xserver_dbus_chat_xdm',`
1644 gen_require(`
1645 type xdm_t;
1646 class dbus send_msg;
1647 ')
1648
1649 allow $1 xdm_t:dbus send_msg;
1650 allow xdm_t $1:dbus send_msg;
1651 ')
1652
1653 ########################################
1654 ## <summary>
1655 ## Read xserver files created in /var/run
1656 ## </summary>
1657 ## <param name="domain">
1658 ## <summary>
1659 ## Domain allowed access.
1660 ## </summary>
1661 ## </param>
1662 #
1663 interface(`xserver_read_pid',`
1664 gen_require(`
1665 type xserver_var_run_t;
1666 ')
1667
1668 files_search_pids($1)
1669 read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1670 ')
1671
1672 ########################################
1673 ## <summary>
1674 ## Execute xserver files created in /var/run
1675 ## </summary>
1676 ## <param name="domain">
1677 ## <summary>
1678 ## Domain allowed access.
1679 ## </summary>
1680 ## </param>
1681 #
1682 interface(`xserver_exec_pid',`
1683 gen_require(`
1684 type xserver_var_run_t;
1685 ')
1686
1687 files_search_pids($1)
1688 exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1689 ')
1690
1691 ########################################
1692 ## <summary>
1693 ## Write xserver files created in /var/run
1694 ## </summary>
1695 ## <param name="domain">
1696 ## <summary>
1697 ## Domain allowed access.
1698 ## </summary>
1699 ## </param>
1700 #
1701 interface(`xserver_write_pid',`
1702 gen_require(`
1703 type xserver_var_run_t;
1704 ')
1705
1706 files_search_pids($1)
1707 write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
1708 ')
1709
1710 ########################################
1711 ## <summary>
1712 ## Allow append the xdm
1713 ## log files.
1714 ## </summary>
1715 ## <param name="domain">
1716 ## <summary>
1717 ## Domain to not audit
1718 ## </summary>
1719 ## </param>
1720 #
1721 interface(`xserver_xdm_append_log',`
1722 gen_require(`
1723 type xdm_log_t;
1724 attribute xdmhomewriter;
1725 ')
1726
1727 typeattribute $1 xdmhomewriter;
1728 allow $1 xdm_log_t:file append_inherited_file_perms;
1729 ')
1730
1731 ########################################
1732 ## <summary>
1733 ## Read a user Iceauthority domain.
1734 ## </summary>
1735 ## <param name="domain">
1736 ## <summary>
1737 ## Domain allowed access.
1738 ## </summary>
1739 ## </param>
1740 #
1741 interface(`xserver_read_user_iceauth',`
1742 gen_require(`
1743 type iceauth_home_t;
1744 ')
1745
1746 # Read .Iceauthority file
1747 allow $1 iceauth_home_t:file read_file_perms;
1748 ')
1749
1750 ########################################
1751 ## <summary>
1752 ## Read/write inherited user homedir fonts.
1753 ## </summary>
1754 ## <param name="domain">
1755 ## <summary>
1756 ## Domain allowed access.
1757 ## </summary>
1758 ## </param>
1759 #
1760 interface(`xserver_rw_inherited_user_fonts',`
1761 gen_require(`
1762 type user_fonts_t, user_fonts_config_t;
1763 ')
1764
1765 allow $1 user_fonts_t:file rw_inherited_file_perms;
1766 allow $1 user_fonts_t:file read_lnk_file_perms;
1767
1768 allow $1 user_fonts_config_t:file rw_inherited_file_perms;
1769 ')
1770
1771 ########################################
1772 ## <summary>
1773 ## Search XDM var lib dirs.
1774 ## </summary>
1775 ## <param name="domain">
1776 ## <summary>
1777 ## Domain allowed access.
1778 ## </summary>
1779 ## </param>
1780 #
1781 interface(`xserver_search_xdm_lib',`
1782 gen_require(`
1783 type xdm_var_lib_t;
1784 ')
1785
1786 allow $1 xdm_var_lib_t:dir search_dir_perms;
1787 ')
1788
1789 ########################################
1790 ## <summary>
1791 ## Make an X executable an entrypoint for the specified domain.
1792 ## </summary>
1793 ## <param name="domain">
1794 ## <summary>
1795 ## The domain for which the shell is an entrypoint.
1796 ## </summary>
1797 ## </param>
1798 #
1799 interface(`xserver_entry_type',`
1800 gen_require(`
1801 type xserver_exec_t;
1802 ')
1803
1804 domain_entry_file($1, xserver_exec_t)
1805 ')
1806
1807 ########################################
1808 ## <summary>
1809 ## Execute xsever in the xserver domain, and
1810 ## allow the specified role the xserver domain.
1811 ## </summary>
1812 ## <param name="domain">
1813 ## <summary>
1814 ## Domain allowed access.
1815 ## </summary>
1816 ## </param>
1817 ## <param name="role">
1818 ## <summary>
1819 ## The role to be allowed the xserver domain.
1820 ## </summary>
1821 ## </param>
1822 ## <rolecap/>
1823 #
1824 interface(`xserver_run',`
1825 gen_require(`
1826 type xserver_t;
1827 ')
1828
1829 xserver_domtrans($1)
1830 role $2 types xserver_t;
1831 ')
1832
1833 ########################################
1834 ## <summary>
1835 ## Execute xsever in the xserver domain, and
1836 ## allow the specified role the xserver domain.
1837 ## </summary>
1838 ## <param name="domain">
1839 ## <summary>
1840 ## Domain allowed access.
1841 ## </summary>
1842 ## </param>
1843 ## <param name="role">
1844 ## <summary>
1845 ## The role to be allowed the xserver domain.
1846 ## </summary>
1847 ## </param>
1848 ## <rolecap/>
1849 #
1850 interface(`xserver_run_xauth',`
1851 gen_require(`
1852 type xauth_t;
1853 ')
1854
1855 xserver_domtrans_xauth($1)
1856 role $2 types xauth_t;
1857 ')
1858
1859 ########################################
1860 ## <summary>
1861 ## Read user homedir fonts.
1862 ## </summary>
1863 ## <param name="domain">
1864 ## <summary>
1865 ## Domain allowed access.
1866 ## </summary>
1867 ## </param>
1868 ## <rolecap/>
1869 #
1870 interface(`xserver_read_home_fonts',`
1871 gen_require(`
1872 type user_fonts_t, user_fonts_config_t;
1873 ')
1874
1875 list_dirs_pattern($1, user_fonts_t, user_fonts_t)
1876 read_files_pattern($1, user_fonts_t, user_fonts_t)
1877 read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
1878
1879 read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
1880 ')
1881
1882 ########################################
1883 ## <summary>
1884 ## Manage user homedir fonts.
1885 ## </summary>
1886 ## <param name="domain">
1887 ## <summary>
1888 ## Domain allowed access.
1889 ## </summary>
1890 ## </param>
1891 ## <rolecap/>
1892 #
1893 interface(`xserver_manage_home_fonts',`
1894 gen_require(`
1895 type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
1896 ')
1897
1898 manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
1899 manage_files_pattern($1, user_fonts_t, user_fonts_t)
1900 manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
1901
1902 manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
1903
1904 # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
1905 # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
1906 # userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
1907 ')
1908
1909 ########################################
1910 ## <summary>
1911 ## Transition to xserver named content
1912 ## </summary>
1913 ## <param name="domain">
1914 ## <summary>
1915 ## Domain allowed access.
1916 ## </summary>
1917 ## </param>
1918 #
1919 interface(`xserver_filetrans_home_content',`
1920 gen_require(`
1921 type xdm_home_t, xauth_home_t, iceauth_home_t;
1922 type user_home_t, user_fonts_t, user_fonts_cache_t;
1923 type user_fonts_config_t;
1924 ')
1925
1926 userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
1927 userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
1928 userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
1929 userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
1930 userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
1931 userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
1932 userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
1933 userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
1934 userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
1935 userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
1936 userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
1937 filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
1938 ')
1939
1940 ########################################
1941 ## <summary>
1942 ## Create xserver content in admin home
1943 ## directory with a named file transition.
1944 ## </summary>
1945 ## <param name="domain">
1946 ## <summary>
1947 ## Domain allowed access.
1948 ## </summary>
1949 ## </param>
1950 #
1951 interface(`xserver_filetrans_admin_home_content',`
1952 gen_require(`
1953 type xdm_home_t, xauth_home_t, iceauth_home_t;
1954 type user_home_t, user_fonts_t, user_fonts_cache_t;
1955 type user_fonts_config_t;
1956 ')
1957
1958 userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
1959 userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
1960 userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
1961 userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
1962 userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
1963 userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
1964 userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
1965 userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
1966 userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
1967 userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
1968 userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
1969 ')
The IPFire selinux policy.