1 policy_module(xserver, 3.5.0)
4 class x_drawable all_x_drawable_perms;
5 class x_screen all_x_screen_perms;
6 class x_gc all_x_gc_perms;
7 class x_font all_x_font_perms;
8 class x_colormap all_x_colormap_perms;
9 class x_property all_x_property_perms;
10 class x_selection all_x_selection_perms;
11 class x_cursor all_x_cursor_perms;
12 class x_client all_x_client_perms;
13 class x_device all_x_device_perms;
14 class x_pointer all_x_pointer_perms;
15 class x_keyboard all_x_keyboard_perms;
16 class x_server all_x_server_perms;
17 class x_extension all_x_extension_perms;
18 class x_resource all_x_resource_perms;
19 class x_event all_x_event_perms;
20 class x_synthetic_event all_x_synthetic_event_perms;
23 ########################################
30 ## Allows clients to write to the X server shared
34 gen_tunable(allow_write_xshm, false)
38 ## Allow xdm logins as sysadm
41 gen_tunable(xdm_sysadm_login, false)
45 ## Support X userspace object manager
48 gen_tunable(xserver_object_manager, false)
53 attribute xevent_type;
54 attribute input_xevent_type;
55 type xevent_t, xevent_type;
56 typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t };
57 typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
58 typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t };
59 typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
60 typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t };
61 typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
62 typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t };
63 typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
65 type client_xevent_t, xevent_type;
66 typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t };
67 typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
69 type input_xevent_t, xevent_type, input_xevent_type;
72 attribute xextension_type;
73 type xextension_t, xextension_type;
74 type security_xextension_t, xextension_type;
77 attribute xproperty_type;
78 type xproperty_t, xproperty_type;
79 type seclabel_xproperty_t, xproperty_type;
80 type clipboard_xproperty_t, xproperty_type;
83 attribute xselection_type;
84 type xselection_t, xselection_type;
85 type clipboard_xselection_t, xselection_type;
86 #type settings_xselection_t, xselection_type;
87 #type dbus_xselection_t, xselection_type;
90 attribute xdrawable_type;
91 attribute xcolormap_type;
92 type root_xdrawable_t, xdrawable_type;
93 type root_xcolormap_t, xcolormap_type;
95 attribute xserver_unconfined_type;
97 xserver_object_types_template(root)
98 xserver_object_types_template(user)
100 typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
101 typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
102 typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
103 typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
106 xserver_object_types_template(remote)
107 xserver_common_x_domain_template(remote,remote_t)
110 typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
111 typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
112 userdom_user_home_content(user_fonts_t)
114 type user_fonts_cache_t;
115 typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
116 typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
117 userdom_user_home_content(user_fonts_cache_t)
119 type user_fonts_config_t;
120 typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
121 typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
122 userdom_user_home_content(user_fonts_config_t)
126 typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
127 typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
128 application_domain(iceauth_t, iceauth_exec_t)
129 ubac_constrained(iceauth_t)
132 typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
133 typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
134 userdom_user_home_content(iceauth_home_t)
138 typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
139 typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
140 application_domain(xauth_t, xauth_exec_t)
141 ubac_constrained(xauth_t)
144 typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
145 typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
146 userdom_user_home_content(xauth_home_t)
149 typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
150 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
151 files_tmp_file(xauth_tmp_t)
152 ubac_constrained(xauth_tmp_t)
154 # this is not actually a device, its a pipe
155 type xconsole_device_t;
156 files_type(xconsole_device_t)
157 fs_associate_tmpfs(xconsole_device_t)
158 files_associate_tmp(xconsole_device_t)
162 auth_login_pgm_domain(xdm_t)
163 init_domain(xdm_t, xdm_exec_t)
164 init_daemon_domain(xdm_t, xdm_exec_t)
165 xserver_object_types_template(xdm)
166 xserver_common_x_domain_template(xdm, xdm_t)
169 files_lock_file(xdm_lock_t)
172 files_type(xdm_rw_etc_t)
175 files_type(xdm_var_lib_t)
178 files_pid_file(xdm_var_run_t)
181 files_tmp_file(xdm_tmp_t)
182 typealias xdm_tmp_t alias ice_tmp_t;
185 files_tmpfs_file(xdm_tmpfs_t)
187 # type for /var/lib/xkb
189 files_type(xkb_var_lib_t)
191 # Type for the executable used to start the X server, e.g. Xwrapper.
194 typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
195 typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
196 init_system_domain(xserver_t, xserver_exec_t)
197 ubac_constrained(xserver_t)
200 typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
201 typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
202 files_tmp_file(xserver_tmp_t)
203 ubac_constrained(xserver_tmp_t)
205 type xserver_tmpfs_t;
206 typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
207 typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
208 files_tmpfs_file(xserver_tmpfs_t)
209 ubac_constrained(xserver_tmpfs_t)
211 type xsession_exec_t;
212 corecmd_executable_file(xsession_exec_t)
214 # Type for the X server log file.
216 logging_log_file(xserver_log_t)
219 init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
220 init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
224 prelink_object_file(xkb_var_lib_t)
227 ########################################
229 # Iceauth local policy
232 allow iceauth_t iceauth_home_t:file manage_file_perms;
233 userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
235 allow xdm_t iceauth_home_t:file read_file_perms;
237 fs_search_auto_mountpoints(iceauth_t)
239 userdom_use_user_terminals(iceauth_t)
241 tunable_policy(`use_nfs_home_dirs',`
242 fs_manage_nfs_files(iceauth_t)
245 tunable_policy(`use_samba_home_dirs',`
246 fs_manage_cifs_files(iceauth_t)
249 ########################################
254 allow xauth_t self:process signal;
255 allow xauth_t self:unix_stream_socket create_stream_socket_perms;
257 allow xauth_t xauth_home_t:file manage_file_perms;
258 userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
260 manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
261 manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
262 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
264 allow xdm_t xauth_home_t:file manage_file_perms;
265 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
267 domain_use_interactive_fds(xauth_t)
269 files_read_etc_files(xauth_t)
270 files_search_pids(xauth_t)
272 fs_getattr_xattr_fs(xauth_t)
273 fs_search_auto_mountpoints(xauth_t)
276 term_use_ptmx(xauth_t)
278 auth_use_nsswitch(xauth_t)
280 userdom_use_user_terminals(xauth_t)
281 userdom_read_user_tmp_files(xauth_t)
283 xserver_rw_xdm_tmp_files(xauth_t)
285 tunable_policy(`use_nfs_home_dirs',`
286 fs_manage_nfs_files(xauth_t)
289 tunable_policy(`use_samba_home_dirs',`
290 fs_manage_cifs_files(xauth_t)
295 ssh_read_pipes(xauth_t)
296 ssh_dontaudit_rw_tcp_sockets(xauth_t)
299 ########################################
304 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
305 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
306 allow xdm_t self:fifo_file rw_fifo_file_perms;
307 allow xdm_t self:shm create_shm_perms;
308 allow xdm_t self:sem create_sem_perms;
309 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
310 allow xdm_t self:unix_dgram_socket create_socket_perms;
311 allow xdm_t self:tcp_socket create_stream_socket_perms;
312 allow xdm_t self:udp_socket create_socket_perms;
313 allow xdm_t self:socket create_socket_perms;
314 allow xdm_t self:appletalk_socket create_socket_perms;
315 allow xdm_t self:key { search link write };
317 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
319 # Allow gdm to run gdm-binary
320 can_exec(xdm_t, xdm_exec_t)
322 allow xdm_t xdm_lock_t:file manage_file_perms;
323 files_lock_filetrans(xdm_t, xdm_lock_t, file)
325 # wdm has its own config dir /etc/X11/wdm
326 # this is ugly, daemons should not create files under /etc!
327 manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
329 manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
330 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
331 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
332 files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
334 manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
335 manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
336 manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
337 manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
338 manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
339 fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
341 manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
342 manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
343 files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
345 manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
346 manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
347 manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
348 files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
350 allow xdm_t xserver_t:process signal;
351 allow xdm_t xserver_t:unix_stream_socket connectto;
353 allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
354 allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
356 # transition to the xdm xserver
357 domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
358 allow xserver_t xdm_t:process signal;
359 allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
361 allow xdm_t xserver_t:shm rw_shm_perms;
363 # connect to xdm xserver over stream socket
364 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
366 # Remove /tmp/.X11-unix/X0.
367 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
368 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
370 manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
371 manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
372 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
373 logging_log_filetrans(xdm_t, xserver_log_t, file)
375 kernel_read_system_state(xdm_t)
376 kernel_read_kernel_sysctls(xdm_t)
377 kernel_read_net_sysctls(xdm_t)
378 kernel_read_network_state(xdm_t)
380 corecmd_exec_shell(xdm_t)
381 corecmd_exec_bin(xdm_t)
383 corenet_all_recvfrom_unlabeled(xdm_t)
384 corenet_all_recvfrom_netlabel(xdm_t)
385 corenet_tcp_sendrecv_generic_if(xdm_t)
386 corenet_udp_sendrecv_generic_if(xdm_t)
387 corenet_tcp_sendrecv_generic_node(xdm_t)
388 corenet_udp_sendrecv_generic_node(xdm_t)
389 corenet_tcp_sendrecv_all_ports(xdm_t)
390 corenet_udp_sendrecv_all_ports(xdm_t)
391 corenet_tcp_bind_generic_node(xdm_t)
392 corenet_udp_bind_generic_node(xdm_t)
393 corenet_tcp_connect_all_ports(xdm_t)
394 corenet_sendrecv_all_client_packets(xdm_t)
395 # xdm tries to bind to biff_port_t
396 corenet_dontaudit_tcp_bind_all_ports(xdm_t)
399 dev_read_sysfs(xdm_t)
400 dev_getattr_framebuffer_dev(xdm_t)
401 dev_setattr_framebuffer_dev(xdm_t)
402 dev_getattr_mouse_dev(xdm_t)
403 dev_setattr_mouse_dev(xdm_t)
404 dev_rw_apm_bios(xdm_t)
405 dev_setattr_apm_bios_dev(xdm_t)
408 dev_getattr_xserver_misc_dev(xdm_t)
409 dev_setattr_xserver_misc_dev(xdm_t)
410 dev_getattr_misc_dev(xdm_t)
411 dev_setattr_misc_dev(xdm_t)
412 dev_dontaudit_rw_misc(xdm_t)
413 dev_getattr_video_dev(xdm_t)
414 dev_setattr_video_dev(xdm_t)
415 dev_getattr_scanner_dev(xdm_t)
416 dev_setattr_scanner_dev(xdm_t)
417 dev_getattr_sound_dev(xdm_t)
418 dev_setattr_sound_dev(xdm_t)
419 dev_getattr_power_mgmt_dev(xdm_t)
420 dev_setattr_power_mgmt_dev(xdm_t)
422 domain_use_interactive_fds(xdm_t)
423 # Do not audit denied probes of /proc.
424 domain_dontaudit_read_all_domains_state(xdm_t)
426 files_read_etc_files(xdm_t)
427 files_read_var_files(xdm_t)
428 files_read_etc_runtime_files(xdm_t)
429 files_exec_etc_files(xdm_t)
430 files_list_mnt(xdm_t)
431 # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
432 files_read_usr_files(xdm_t)
433 # Poweroff wants to create the /poweroff file when run from xdm
434 files_create_boot_flag(xdm_t)
436 fs_getattr_all_fs(xdm_t)
437 fs_search_auto_mountpoints(xdm_t)
439 storage_dontaudit_read_fixed_disk(xdm_t)
440 storage_dontaudit_write_fixed_disk(xdm_t)
441 storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
442 storage_dontaudit_raw_read_removable_device(xdm_t)
443 storage_dontaudit_raw_write_removable_device(xdm_t)
444 storage_dontaudit_setattr_removable_dev(xdm_t)
445 storage_dontaudit_rw_scsi_generic(xdm_t)
447 term_setattr_console(xdm_t)
448 term_use_unallocated_ttys(xdm_t)
449 term_setattr_unallocated_ttys(xdm_t)
451 auth_domtrans_pam_console(xdm_t)
452 auth_manage_pam_pid(xdm_t)
453 auth_manage_pam_console_data(xdm_t)
454 auth_rw_faillog(xdm_t)
455 auth_write_login_records(xdm_t)
457 # Run telinit->init to shutdown.
460 libs_exec_lib_files(xdm_t)
462 logging_read_generic_logs(xdm_t)
464 miscfiles_read_localization(xdm_t)
465 miscfiles_read_fonts(xdm_t)
467 sysnet_read_config(xdm_t)
469 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
470 userdom_create_all_users_keys(xdm_t)
472 userdom_read_user_home_content_files(xdm_t)
473 # Search /proc for any user domain processes.
474 userdom_read_all_users_state(xdm_t)
475 userdom_signal_all_users(xdm_t)
477 xserver_rw_session(xdm_t, xdm_tmpfs_t)
478 xserver_unconfined(xdm_t)
480 tunable_policy(`use_nfs_home_dirs',`
481 fs_manage_nfs_dirs(xdm_t)
482 fs_manage_nfs_files(xdm_t)
483 fs_manage_nfs_symlinks(xdm_t)
484 fs_exec_nfs_files(xdm_t)
487 tunable_policy(`use_samba_home_dirs',`
488 fs_manage_cifs_dirs(xdm_t)
489 fs_manage_cifs_files(xdm_t)
490 fs_manage_cifs_symlinks(xdm_t)
491 fs_exec_cifs_files(xdm_t)
494 tunable_policy(`xdm_sysadm_login',`
495 userdom_xsession_spec_domtrans_all_users(xdm_t)
497 # xserver_rw_session_template(xdm,userdomain)
499 userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
501 # xserver_rw_session_template(xdm,unpriv_userdomain)
502 # dontaudit xserver_t sysadm_t:shm { unix_read unix_write };
503 # allow xserver_t xdm_tmpfs_t:file rw_file_perms;
511 consolekit_dbus_chat(xdm_t)
515 consoletype_exec(xdm_t)
519 # Talk to the console mouse server.
520 gpm_stream_connect(xdm_t)
521 gpm_setattr_gpmctl(xdm_t)
533 locallogin_signull(xdm_t)
537 # Do not audit attempts to check whether user root has email
538 mta_dontaudit_getattr_spool_files(xdm_t)
542 resmgr_stream_connect(xdm_t)
546 seutil_sigchld_newrole(xdm_t)
554 unconfined_domain(xdm_t)
555 unconfined_domtrans(xdm_t)
557 ifndef(`distro_redhat',`
558 allow xdm_t self:process { execheap execmem };
561 ifdef(`distro_rhel4',`
562 allow xdm_t self:process { execheap execmem };
567 userhelper_dontaudit_search_config(xdm_t)
571 usermanage_read_crack_db(xdm_t)
575 xfs_stream_connect(xdm_t)
578 ########################################
580 # X server local policy
583 # X Object Manager rules
584 type_transition xserver_t xserver_t:x_drawable root_xdrawable_t;
585 type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
586 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
588 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
589 allow xserver_t input_xevent_t:x_event send;
591 # setuid/setgid for the wrapper program to change UID
592 # sys_rawio is for iopl access - should not be needed for frame-buffer
593 # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
595 # sys_nice is so that the X server can set a negative nice value
596 # execheap needed until the X module loader is fixed.
597 # NVIDIA Needs execstack
599 allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
600 dontaudit xserver_t self:capability chown;
601 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
602 allow xserver_t self:fd use;
603 allow xserver_t self:fifo_file rw_fifo_file_perms;
604 allow xserver_t self:sock_file read_sock_file_perms;
605 allow xserver_t self:shm create_shm_perms;
606 allow xserver_t self:sem create_sem_perms;
607 allow xserver_t self:msgq create_msgq_perms;
608 allow xserver_t self:msg { send receive };
609 allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
610 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
611 allow xserver_t self:tcp_socket create_stream_socket_perms;
612 allow xserver_t self:udp_socket create_socket_perms;
613 allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
615 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
616 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
617 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
618 files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
620 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
622 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
623 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
624 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
625 manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
626 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
627 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
629 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
630 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
631 files_search_var_lib(xserver_t)
633 domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
634 allow xserver_t xauth_home_t:file read_file_perms;
636 # Create files in /var/log with the xserver_log_t type.
637 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
638 logging_log_filetrans(xserver_t, xserver_log_t, file)
640 kernel_read_system_state(xserver_t)
641 kernel_read_device_sysctls(xserver_t)
642 kernel_read_modprobe_sysctls(xserver_t)
643 # Xorg wants to check if kernel is tainted
644 kernel_read_kernel_sysctls(xserver_t)
645 kernel_write_proc_files(xserver_t)
647 # Run helper programs in xserver_t.
648 corecmd_exec_bin(xserver_t)
649 corecmd_exec_shell(xserver_t)
651 corenet_all_recvfrom_unlabeled(xserver_t)
652 corenet_all_recvfrom_netlabel(xserver_t)
653 corenet_tcp_sendrecv_generic_if(xserver_t)
654 corenet_udp_sendrecv_generic_if(xserver_t)
655 corenet_tcp_sendrecv_generic_node(xserver_t)
656 corenet_udp_sendrecv_generic_node(xserver_t)
657 corenet_tcp_sendrecv_all_ports(xserver_t)
658 corenet_udp_sendrecv_all_ports(xserver_t)
659 corenet_tcp_bind_generic_node(xserver_t)
660 corenet_tcp_bind_xserver_port(xserver_t)
661 corenet_tcp_connect_all_ports(xserver_t)
662 corenet_sendrecv_xserver_server_packets(xserver_t)
663 corenet_sendrecv_all_client_packets(xserver_t)
665 dev_rw_sysfs(xserver_t)
666 dev_rw_mouse(xserver_t)
667 dev_rw_mtrr(xserver_t)
668 dev_rw_apm_bios(xserver_t)
669 dev_rw_agp(xserver_t)
670 dev_rw_framebuffer(xserver_t)
671 dev_manage_dri_dev(xserver_t)
672 dev_filetrans_dri(xserver_t)
673 dev_create_generic_dirs(xserver_t)
674 dev_setattr_generic_dirs(xserver_t)
675 # raw memory access is needed if not using the frame buffer
676 dev_read_raw_memory(xserver_t)
677 dev_wx_raw_memory(xserver_t)
678 # for other device nodes such as the NVidia binary-only driver
679 dev_rw_xserver_misc(xserver_t)
680 # read events - the synaptics touchpad driver reads raw events
681 dev_rw_input_dev(xserver_t)
682 dev_rwx_zero(xserver_t)
684 files_read_etc_files(xserver_t)
685 files_read_etc_runtime_files(xserver_t)
686 files_read_usr_files(xserver_t)
689 files_search_mnt(xserver_t)
691 files_dontaudit_search_pids(xserver_t)
693 fs_getattr_xattr_fs(xserver_t)
694 fs_search_nfs(xserver_t)
695 fs_search_auto_mountpoints(xserver_t)
696 fs_search_ramfs(xserver_t)
698 mls_xwin_read_to_clearance(xserver_t)
700 selinux_validate_context(xserver_t)
701 selinux_compute_access_vector(xserver_t)
702 selinux_compute_create_context(xserver_t)
704 auth_use_nsswitch(xserver_t)
706 init_getpgid(xserver_t)
708 term_setattr_unallocated_ttys(xserver_t)
709 term_use_unallocated_ttys(xserver_t)
711 getty_use_fds(xserver_t)
713 locallogin_use_fds(xserver_t)
715 logging_send_syslog_msg(xserver_t)
716 logging_send_audit_msgs(xserver_t)
718 miscfiles_read_localization(xserver_t)
719 miscfiles_read_fonts(xserver_t)
721 modutils_domtrans_insmod(xserver_t)
724 seutil_read_default_contexts(xserver_t)
726 userdom_search_user_home_dirs(xserver_t)
727 userdom_use_user_ttys(xserver_t)
728 userdom_setattr_user_ttys(xserver_t)
729 userdom_rw_user_tmpfs_files(xserver_t)
731 xserver_use_user_fonts(xserver_t)
733 ifndef(`distro_redhat',`
734 allow xserver_t self:process { execmem execheap execstack };
735 domain_mmap_low_uncond(xserver_t)
738 ifdef(`distro_rhel4',`
739 allow xserver_t self:process { execmem execheap execstack };
743 range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
744 range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
747 tunable_policy(`!xserver_object_manager',`
748 # should be xserver_unconfined(xserver_t),
749 # but typeattribute doesnt work in conditionals
751 allow xserver_t xserver_t:x_server *;
752 allow xserver_t { x_domain root_xdrawable_t }:x_drawable *;
753 allow xserver_t xserver_t:x_screen *;
754 allow xserver_t x_domain:x_gc *;
755 allow xserver_t { x_domain root_xcolormap_t }:x_colormap *;
756 allow xserver_t xproperty_type:x_property *;
757 allow xserver_t xselection_type:x_selection *;
758 allow xserver_t x_domain:x_cursor *;
759 allow xserver_t x_domain:x_client *;
760 allow xserver_t { x_domain xserver_t }:x_device *;
761 allow xserver_t { x_domain xserver_t }:x_pointer *;
762 allow xserver_t { x_domain xserver_t }:x_keyboard *;
763 allow xserver_t xextension_type:x_extension *;
764 allow xserver_t { x_domain xserver_t }:x_resource *;
765 allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
769 apm_stream_connect(xserver_t)
773 auth_search_pam_console_data(xserver_t)
777 rhgb_getpgid(xserver_t)
778 rhgb_signal(xserver_t)
782 udev_read_db(xserver_t)
786 unconfined_domain_noaudit(xserver_t)
787 unconfined_domtrans(xserver_t)
791 userhelper_search_config(xserver_t)
795 xfs_stream_connect(xserver_t)
798 ########################################
800 # XDM Xserver local policy
802 # cjp: when xdm is configurable via tunable these
803 # rules will be enabled only when xdm is enabled
805 allow xserver_t xdm_t:process { signal getpgid };
806 allow xserver_t xdm_t:shm rw_shm_perms;
808 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
809 # handle of a file inside the dir!!!
810 allow xserver_t xdm_var_lib_t:file { getattr read };
811 dontaudit xserver_t xdm_var_lib_t:dir search;
813 allow xserver_t xdm_var_run_t:file read_file_perms;
815 # Label pid and temporary files with derived types.
816 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
817 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
818 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
821 allow xserver_t xkb_var_lib_t:lnk_file read;
822 can_exec(xserver_t, xkb_var_lib_t)
824 # VNC v4 module in X server
825 corenet_tcp_bind_vnc_port(xserver_t)
827 init_use_fds(xserver_t)
829 # FIXME: After per user fonts are properly working
830 # xserver_t may no longer have any reason
831 # to read ROLE_home_t - examine this in more detail
833 userdom_read_user_home_content_files(xserver_t)
835 tunable_policy(`use_nfs_home_dirs',`
836 fs_manage_nfs_dirs(xserver_t)
837 fs_manage_nfs_files(xserver_t)
838 fs_manage_nfs_symlinks(xserver_t)
841 tunable_policy(`use_samba_home_dirs',`
842 fs_manage_cifs_dirs(xserver_t)
843 fs_manage_cifs_files(xserver_t)
844 fs_manage_cifs_symlinks(xserver_t)
848 dbus_system_bus_client(xserver_t)
849 hal_dbus_chat(xserver_t)
853 resmgr_stream_connect(xdm_t)
857 rhgb_rw_shm(xserver_t)
858 rhgb_rw_tmpfs_files(xserver_t)
861 ########################################
863 # Rules common to all X window domains
867 # everyone can do override-redirect windows.
868 # this could be used to spoof labels
869 allow x_domain self:x_drawable override;
870 # firefox gets nosy with other people's windows
871 allow x_domain x_domain:x_drawable { list_child receive };
874 # can get X server attributes
875 allow x_domain xserver_t:x_server getattr;
876 # can grab the server
877 allow x_domain xserver_t:x_server grab;
878 # can read and write server-owned generic resources
879 allow x_domain xserver_t:x_resource { read write };
880 # can mess with own clients
881 allow x_domain self:x_client { getattr manage destroy };
883 # X Protocol Extensions
884 allow x_domain xextension_t:x_extension { query use };
885 allow x_domain security_xextension_t:x_extension { query use };
888 # can change properties of root window
889 allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property };
890 # can change properties of my own windows
891 allow x_domain self:x_drawable { list_property get_property set_property };
892 # can read and write cut buffers
893 allow x_domain clipboard_xproperty_t:x_property { create read write append };
894 # can read security labels
895 allow x_domain seclabel_xproperty_t:x_property { getattr read };
896 # can change all other properties
897 allow x_domain xproperty_t:x_property { getattr create read write append destroy };
900 # operations allowed on root windows
901 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
902 # operations allowed on my windows
903 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
904 allow x_domain self:x_drawable { blend };
905 # operations allowed on all windows
906 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
909 # can use the default colormap
910 allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall };
911 # can create and use colormaps
912 allow x_domain self:x_colormap *;
915 # operations allowed on my own devices
916 allow x_domain self:{ x_device x_pointer x_keyboard } *;
917 # operations allowed on generic devices
918 allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
919 # operations allowed on core keyboard
920 allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab };
921 # operations allowed on core pointer
922 allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
924 # all devices can generate input events
925 allow x_domain root_xdrawable_t:x_drawable send;
926 allow x_domain x_domain:x_drawable send;
927 allow x_domain input_xevent_t:x_event send;
929 # dontaudit keyloggers repeatedly polling
930 #dontaudit x_domain xserver_t:x_keyboard read;
933 # can receive default events
934 allow x_domain xevent_t:{ x_event x_synthetic_event } receive;
935 # can receive ICCCM events
936 allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive;
937 # can send ICCCM events to the root window
938 allow x_domain client_xevent_t:x_synthetic_event send;
939 # can receive root window input events
940 allow x_domain root_input_xevent_t:x_event receive;
943 # can use the clipboard
944 allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
945 # can use default selections
946 allow x_domain xselection_t:x_selection { getattr setattr read };
949 # can create and use cursors
950 allow x_domain self:x_cursor *;
951 # can create and use graphics contexts
952 allow x_domain self:x_gc *;
953 # can read and write own objects
954 allow x_domain self:x_resource { read write };
955 # can mess with the screensaver
956 allow x_domain xserver_t:x_screen { getattr saver_getattr };
958 ########################################
960 # Rules for unconfined access to this module
963 tunable_policy(`! xserver_object_manager',`
964 # should be xserver_unconfined(x_domain),
965 # but typeattribute doesnt work in conditionals
967 allow x_domain xserver_t:x_server *;
968 allow x_domain xdrawable_type:x_drawable *;
969 allow x_domain xserver_t:x_screen *;
970 allow x_domain x_domain:x_gc *;
971 allow x_domain xcolormap_type:x_colormap *;
972 allow x_domain xproperty_type:x_property *;
973 allow x_domain xselection_type:x_selection *;
974 allow x_domain x_domain:x_cursor *;
975 allow x_domain x_domain:x_client *;
976 allow x_domain { x_domain xserver_t }:x_device *;
977 allow x_domain { x_domain xserver_t }:x_pointer *;
978 allow x_domain { x_domain xserver_t }:x_keyboard *;
979 allow x_domain xextension_type:x_extension *;
980 allow x_domain { x_domain xserver_t }:x_resource *;
981 allow x_domain xevent_type:{ x_event x_synthetic_event } *;
984 allow xserver_unconfined_type xserver_t:x_server *;
985 allow xserver_unconfined_type xdrawable_type:x_drawable *;
986 allow xserver_unconfined_type xserver_t:x_screen *;
987 allow xserver_unconfined_type x_domain:x_gc *;
988 allow xserver_unconfined_type xcolormap_type:x_colormap *;
989 allow xserver_unconfined_type xproperty_type:x_property *;
990 allow xserver_unconfined_type xselection_type:x_selection *;
991 allow xserver_unconfined_type x_domain:x_cursor *;
992 allow xserver_unconfined_type x_domain:x_client *;
993 allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
994 allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
995 allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
996 allow xserver_unconfined_type xextension_type:x_extension *;
997 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
998 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;