97 lines
2.1 KiB
Plaintext
97 lines
2.1 KiB
Plaintext
|
#
|
||
|
# Macros for X client programs
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
|
||
|
# and Timothy Fraser
|
||
|
#
|
||
|
|
||
|
# Allows clients to write to the X server's shm
|
||
|
bool allow_write_xshm false;
|
||
|
|
||
|
define(`xsession_domain', `
|
||
|
|
||
|
# Connect to xserver
|
||
|
can_unix_connect($1_t, $2_xserver_t)
|
||
|
|
||
|
# Read /tmp/.X0-lock
|
||
|
allow $1_t $2_xserver_tmp_t:file { getattr read };
|
||
|
|
||
|
# Signal Xserver
|
||
|
allow $1_t $2_xserver_t:process signal;
|
||
|
|
||
|
# Xserver read/write client shm
|
||
|
allow $2_xserver_t $1_t:fd use;
|
||
|
allow $2_xserver_t $1_t:shm rw_shm_perms;
|
||
|
allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
|
||
|
|
||
|
# Client read xserver shm
|
||
|
allow $1_t $2_xserver_t:fd use;
|
||
|
allow $1_t $2_xserver_t:shm r_shm_perms;
|
||
|
allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
|
||
|
|
||
|
# Client write xserver shm
|
||
|
if (allow_write_xshm) {
|
||
|
allow $1_t $2_xserver_t:shm rw_shm_perms;
|
||
|
allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
|
||
|
}
|
||
|
|
||
|
')
|
||
|
|
||
|
#
|
||
|
# x_client_domain(client, role)
|
||
|
#
|
||
|
# Defines common X access rules for the client domain
|
||
|
#
|
||
|
define(`x_client_domain',`
|
||
|
|
||
|
# Create socket to communicate with X server
|
||
|
allow $1_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||
|
|
||
|
# Read .Xauthority file
|
||
|
ifdef(`xauth.te',`
|
||
|
allow $1_t home_root_t:dir { search getattr };
|
||
|
allow $1_t $2_home_dir_t:dir { search getattr };
|
||
|
allow $1_t $2_xauth_home_t:file { getattr read };
|
||
|
')
|
||
|
|
||
|
# for .xsession-errors
|
||
|
dontaudit $1_t $2_home_t:file write;
|
||
|
|
||
|
# for X over a ssh tunnel
|
||
|
ifdef(`ssh.te', `
|
||
|
can_tcp_connect($1_t, sshd_t)
|
||
|
')
|
||
|
|
||
|
# Use a separate type for tmpfs/shm pseudo files.
|
||
|
tmpfs_domain($1)
|
||
|
allow $1_t self:shm create_shm_perms;
|
||
|
|
||
|
# allow X client to read all font files
|
||
|
read_fonts($1_t, $2)
|
||
|
|
||
|
# Allow connections to X server.
|
||
|
ifdef(`xserver.te', `
|
||
|
allow $1_t tmp_t:dir search;
|
||
|
|
||
|
ifdef(`xdm.te', `
|
||
|
xsession_domain($1, xdm)
|
||
|
|
||
|
# for when /tmp/.X11-unix is created by the system
|
||
|
can_pipe_xdm($1_t)
|
||
|
allow $1_t xdm_tmp_t:dir search;
|
||
|
allow $1_t xdm_tmp_t:sock_file { read write };
|
||
|
dontaudit $1_t xdm_t:tcp_socket { read write };
|
||
|
')
|
||
|
|
||
|
ifdef(`startx.te', `
|
||
|
xsession_domain($1, $2)
|
||
|
')dnl end startx
|
||
|
|
||
|
')dnl end xserver
|
||
|
|
||
|
')dnl end x_client macro
|