selinux-policy/www/api-docs/services_xserver.html

1237 lines
19 KiB
HTML
Raw Normal View History

2006-03-07 14:35:03 +00:00
<html>
<head>
<title>
Security Enhanced Linux Reference Policy
</title>
<style type="text/css" media="all">@import "style.css";</style>
</head>
<body>
<div id="Header">Security Enhanced Linux Reference Policy</div>
<div id='Menu'>
<a href="admin.html">+&nbsp;
admin</a></br/>
<div id='subitem'>
</div>
<a href="apps.html">+&nbsp;
apps</a></br/>
<div id='subitem'>
</div>
<a href="kernel.html">+&nbsp;
kernel</a></br/>
<div id='subitem'>
</div>
<a href="services.html">+&nbsp;
services</a></br/>
<div id='subitem'>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_apache.html'>
apache</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_apm.html'>
apm</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_arpwatch.html'>
arpwatch</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_automount.html'>
automount</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_avahi.html'>
avahi</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_bind.html'>
bind</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_bluetooth.html'>
bluetooth</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_canna.html'>
canna</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_comsat.html'>
comsat</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_cpucontrol.html'>
cpucontrol</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_cron.html'>
cron</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_cups.html'>
cups</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_cvs.html'>
cvs</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_cyrus.html'>
cyrus</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_dbskk.html'>
dbskk</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_dbus.html'>
dbus</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_dhcp.html'>
dhcp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_dictd.html'>
dictd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_distcc.html'>
distcc</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_djbdns.html'>
djbdns</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_dovecot.html'>
dovecot</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_fetchmail.html'>
fetchmail</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_finger.html'>
finger</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ftp.html'>
ftp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_gpm.html'>
gpm</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_hal.html'>
hal</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_howl.html'>
howl</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_i18n_input.html'>
i18n_input</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_inetd.html'>
inetd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_inn.html'>
inn</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_irqbalance.html'>
irqbalance</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_kerberos.html'>
kerberos</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ktalk.html'>
ktalk</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ldap.html'>
ldap</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_lpd.html'>
lpd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_mailman.html'>
mailman</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_mta.html'>
mta</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_mysql.html'>
mysql</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_networkmanager.html'>
networkmanager</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_nis.html'>
nis</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_nscd.html'>
nscd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ntp.html'>
ntp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_openct.html'>
openct</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_pegasus.html'>
pegasus</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_portmap.html'>
portmap</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_postfix.html'>
postfix</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_postgresql.html'>
postgresql</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ppp.html'>
ppp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_privoxy.html'>
privoxy</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_procmail.html'>
procmail</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_publicfile.html'>
publicfile</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_radius.html'>
radius</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_radvd.html'>
radvd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_rdisc.html'>
rdisc</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_remotelogin.html'>
remotelogin</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_rlogin.html'>
rlogin</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_roundup.html'>
roundup</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_rpc.html'>
rpc</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_rshd.html'>
rshd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_rsync.html'>
rsync</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_samba.html'>
samba</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_sasl.html'>
sasl</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_sendmail.html'>
sendmail</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_slrnpull.html'>
slrnpull</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_smartmon.html'>
smartmon</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_snmp.html'>
snmp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_spamassassin.html'>
spamassassin</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_squid.html'>
squid</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ssh.html'>
ssh</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_stunnel.html'>
stunnel</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_sysstat.html'>
sysstat</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_tcpd.html'>
tcpd</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_telnet.html'>
telnet</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_tftp.html'>
tftp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_timidity.html'>
timidity</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_ucspitcp.html'>
ucspitcp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_uucp.html'>
uucp</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_xfs.html'>
xfs</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_xserver.html'>
xserver</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='services_zebra.html'>
zebra</a><br/>
</div>
<a href="system.html">+&nbsp;
system</a></br/>
<div id='subitem'>
</div>
<br/><p/>
<a href="global_booleans.html">*&nbsp;Global&nbsp;Booleans&nbsp;</a>
<br/><p/>
<a href="global_tunables.html">*&nbsp;Global&nbsp;Tunables&nbsp;</a>
<p/><br/><p/>
<a href="index.html">*&nbsp;Layer Index</a>
<br/><p/>
<a href="interfaces.html">*&nbsp;Interface&nbsp;Index</a>
<br/><p/>
<a href="templates.html">*&nbsp;Template&nbsp;Index</a>
</div>
<div id="Content">
<a name="top":></a>
<h1>Layer: services</h1><p/>
<h2>Module: xserver</h2><p/>
<a href=#interfaces>Interfaces</a>
<a href=#templates>Templates</a>
<h3>Description:</h3>
<p><p>X Windows Server</p></p>
<a name="interfaces"></a>
<h3>Interfaces: </h3>
<a name="link_xserver_create_xdm_tmp_sockets"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_create_xdm_tmp_sockets</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Create a named socket in a XDM
temporary directory.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_delete_log"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_delete_log</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Do not audit attempts to write the X server
log files.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain to not audit
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_domtrans_xdm_xserver"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_domtrans_xdm_xserver</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Execute the X server in the XDM X server domain.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_dontaudit_write_log"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_dontaudit_write_log</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Do not audit attempts to write the X server
log files.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain to not audit
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_read_xdm_pid"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_read_xdm_pid</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Read XDM pid files.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_read_xdm_rw_config"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_read_xdm_rw_config</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Read xdm-writable configuration files.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_setattr_xdm_tmp_dirs"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_setattr_xdm_tmp_dirs</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Set the attributes of XDM temporary directories.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_stream_connect_xdm"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_stream_connect_xdm</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Connect to XDM over a unix domain
stream socket.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_xsession_entry_type"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_xsession_entry_type</b>(
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Make an X session script an entrypoint for the specified domain.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
The domain for which the shell is an entrypoint.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_xsession_spec_domtrans"></a>
<div id="interface">
<div id="codeblock">
<b>xserver_xsession_spec_domtrans</b>(
domain
,
target_domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Execute an X session in the target domain. This
is an explicit transition, requiring the
caller to use setexeccon().
</p>
<h5>Description</h5>
<p>
</p><p>
Execute an Xsession in the target domain. This
is an explicit transition, requiring the
caller to use setexeccon().
</p><p>
</p><p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p><p>
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
<tr><td>
target_domain
</td><td>
<p>
The type of the shell process.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a href=#top>Return</a>
<a name="templates"></a>
<h3>Templates: </h3>
<a name="link_xserver_common_domain_template"></a>
<div id="template">
<div id="codeblock">
<b>xserver_common_domain_template</b>(
prefix
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Template to create types and rules common to
all X server domains.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
prefix
</td><td>
<p>
The prefix of the domain (e.g., user
is the prefix for user_t).
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_domtrans_user_xauth"></a>
<div id="template">
<div id="codeblock">
<b>xserver_domtrans_user_xauth</b>(
userdomain_prefix
,
domain
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Transition to a user Xauthority domain.
</p>
<h5>Description</h5>
<p>
</p><p>
Transition to a user Xauthority domain.
</p><p>
</p><p>
This is a templated interface, and should only
be called from a per-userdomain template.
</p><p>
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
userdomain_prefix
</td><td>
<p>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</p>
</td><td>
No
</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_per_userdomain_template"></a>
<div id="template">
<div id="codeblock">
<b>xserver_per_userdomain_template</b>(
prefix
,
user_domain
,
user_role
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
The per user domain template for the xserver module.
</p>
<h5>Description</h5>
<p>
</p><p>
Define a derived domain for the X server when executed
by a user domain (e.g. via startx). See the xdm module
if using an X Display Manager.
</p><p>
</p><p>
This is invoked automatically for each user and
generally does not need to be invoked directly
by policy writers.
</p><p>
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
prefix
</td><td>
<p>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</p>
</td><td>
No
</td></tr>
<tr><td>
user_domain
</td><td>
<p>
The type of the user domain.
</p>
</td><td>
No
</td></tr>
<tr><td>
user_role
</td><td>
<p>
The role associated with the user domain.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_ro_session_template"></a>
<div id="template">
<div id="codeblock">
<b>xserver_ro_session_template</b>(
prefix
,
domain
,
tmpfs_type
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Template for creating sessions on a
prefix X server, with read-only
access to the X server shared
memory segments.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
prefix
</td><td>
<p>
The prefix of the domain (e.g., user
is the prefix for user_t).
</p>
</td><td>
No
</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
<tr><td>
tmpfs_type
</td><td>
<p>
The type of the domain SYSV tmpfs files.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_rw_session_template"></a>
<div id="template">
<div id="codeblock">
<b>xserver_rw_session_template</b>(
prefix
,
domain
,
tmpfs_type
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Template for creating sessions on a
prefix X server, with read and write
access to the X server shared
memory segments.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
prefix
</td><td>
<p>
The prefix of the domain (e.g., user
is the prefix for user_t).
</p>
</td><td>
No
</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
<tr><td>
tmpfs_type
</td><td>
<p>
The type of the domain SYSV tmpfs files.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a name="link_xserver_user_client_template"></a>
<div id="template">
<div id="codeblock">
<b>xserver_user_client_template</b>(
prefix
,
domain
,
tmpfs_type
)<br>
</div>
<div id="description">
<h5>Summary</h5>
<p>
Template for creating full client sessions
on a user X server.
</p>
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
prefix
</td><td>
<p>
The prefix of the domain (e.g., user
is the prefix for user_t).
</p>
</td><td>
No
</td></tr>
<tr><td>
domain
</td><td>
<p>
Domain allowed access.
</p>
</td><td>
No
</td></tr>
<tr><td>
tmpfs_type
</td><td>
<p>
The type of the domain SYSV tmpfs files.
</p>
</td><td>
No
</td></tr>
</table>
</div>
</div>
<a href=#top>Return</a>
</div>
</body>
</html>