more xdm work

refpolicy/policy/modules/kernel/devices.if

@@ -1379,6 +1379,22 @@ interface(`dev_write_misc',`
 	allow $1 misc_device_t:chr_file { getattr write ioctl };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_dontaudit_rw_misc',`
+	gen_require(`
+		type misc_device_t;
+	')
+
+	dontaudit $1 misc_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the mouse devices.

refpolicy/policy/modules/kernel/storage.if

@@ -136,6 +136,24 @@ interface(`storage_raw_write_fixed_disk',`
 	typeattribute $1 fixed_disk_raw_write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to write
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`storage_dontaudit_write_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+		
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
+')
+
 ########################################
 ## <summary>
 ##	Create block devices in /dev with the fixed disk type.
@@ -379,6 +397,23 @@ interface(`storage_set_scsi_generic_attributes',`
 	allow $1 scsi_generic_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	SCSI generic device interfaces.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`storage_dontaudit_rw_scsi_generic',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes of removable
@@ -494,6 +529,22 @@ interface(`storage_raw_read_removable_device',`
 	allow $1 removable_device_t:blk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to directly read removable devices.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`storage_dontaudit_raw_read_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly write to
@@ -516,6 +567,22 @@ interface(`storage_raw_write_removable_device',`
 	allow $1 removable_device_t:blk_file { getattr write ioctl };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to directly write removable devices.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`storage_dontaudit_raw_write_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file { write append ioctl };
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly read

refpolicy/policy/modules/services/gpm.if

@@ -1,5 +1,23 @@
 ## <summary>General Purpose Mouse driver</summary>
 
+########################################
+## <summary>
+##	Connect to GPM over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`gpm_stream_connect',`
+	gen_require(`
+		type gpmctl_t, gpm_t;
+	')
+
+	allow $1 gpmctl_t:sock_file { getattr write };
+	allow $1 gpm_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the GPM
@@ -12,7 +30,6 @@
 interface(`gpm_getattr_gpmctl',`
 	gen_require(`
 		type gpmctl_t;
-		class sock_file getattr;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -32,10 +49,8 @@ interface(`gpm_getattr_gpmctl',`
 interface(`gpm_dontaudit_getattr_gpmctl',`
 	gen_require(`
 		type gpmctl_t;
-		class sock_file getattr;
 	')
 
-	dev_list_all_dev_nodes($1)
 	dontaudit $1 gpmctl_t:sock_file getattr;
 ')
 
@@ -51,7 +66,6 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 interface(`gpm_setattr_gpmctl',`
 	gen_require(`
 		type gpmctl_t;
-		class sock_file setattr;
 	')
 
 	dev_list_all_dev_nodes($1)

refpolicy/policy/modules/services/xdm.te

@@ -28,12 +28,12 @@ files_lock_file(xdm_lock_t)
 type xdm_rw_etc_t;
 files_type(xdm_rw_etc_t)
 
-type xdm_var_run_t;
-files_type(xdm_var_run_t)
-
 type xdm_var_lib_t;
 files_type(xdm_var_lib_t)
 
+type xdm_var_run_t;
+files_type(xdm_var_run_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 
@@ -46,11 +46,17 @@ files_tmpfs_file(xdm_tmpfs_t)
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_file_perms;
 allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:sem create_sem_perms;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:tcp_socket create_stream_socket_perms;
+allow xdm_t self:udp_socket create_socket_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
 
 # wdm has its own config dir /etc/X11/wdm
 # this is ugly, daemons should not create files under /etc!
@@ -68,16 +74,61 @@ corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
 corecmd_exec_sbin(xdm_t)
 
+corenet_tcp_sendrecv_generic_if(xdm_t)
+corenet_udp_sendrecv_generic_if(xdm_t)
+corenet_raw_sendrecv_generic_if(xdm_t)
+corenet_tcp_sendrecv_all_nodes(xdm_t)
+corenet_udp_sendrecv_all_nodes(xdm_t)
+corenet_raw_sendrecv_all_nodes(xdm_t)
+corenet_tcp_sendrecv_all_ports(xdm_t)
+corenet_udp_sendrecv_all_ports(xdm_t)
+corenet_non_ipsec_sendrecv(xdm_t)
+corenet_tcp_bind_all_nodes(xdm_t)
+corenet_udp_bind_all_nodes(xdm_t)
 corenet_tcp_connect_all_ports(xdm_t)
+# xdm tries to bind to biff_port_t
+corenet_dontaudit_tcp_bind_all_ports(xdm_t)
 
 dev_read_rand(xdm_t)
 dev_read_urand(xdm_t)
+dev_read_sysfs(xdm_t)
+dev_getattr_framebuffer(xdm_t)
+dev_setattr_framebuffer(xdm_t)
+dev_getattr_mouse(xdm_t)
+dev_setattr_mouse(xdm_t)
+dev_rw_apm_bios(xdm_t)
+dev_setattr_apm_bios(xdm_t)
+dev_rw_dri_dev(xdm_t)
+dev_rw_agp_dev(xdm_t)
+dev_getattr_xserver_misc_dev(xdm_t)
+dev_setattr_xserver_misc_dev(xdm_t)
+dev_getattr_misc(xdm_t)
+dev_setattr_misc(xdm_t)
+dev_dontaudit_rw_misc(xdm_t)
+dev_getattr_video_dev(xdm_t)
+dev_setattr_video_dev(xdm_t)
+dev_getattr_scanner(xdm_t)
+dev_setattr_scanner(xdm_t)
+dev_getattr_snd_dev(xdm_t)
+dev_setattr_snd_dev(xdm_t)
+dev_getattr_power_management(xdm_t)
+dev_setattr_power_management(xdm_t)
+
+domain_use_wide_inherit_fd(xdm_t)
+# Do not audit denied probes of /proc.
+domain_dontaudit_read_all_domains_state(xdm_t)
 
 files_read_etc_files(xdm_t)
 files_read_etc_runtime_files(xdm_t)
 files_exec_etc_files(xdm_t)
+files_list_mnt(xdm_t)
 # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
 files_read_usr_files(xdm_t)
+# Poweroff wants to create the /poweroff file when run from xdm
+files_create_boot_flag(xdm_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_search_auto_mountpoints(xdm_t)
 
 selinux_get_fs_mount(xdm_t)
 selinux_validate_context(xdm_t)
@@ -86,18 +137,54 @@ selinux_compute_create_context(xdm_t)
 selinux_compute_relabel_context(xdm_t)
 selinux_compute_user_contexts(xdm_t)
 
+storage_dontaudit_read_fixed_disk(xdm_t)
+storage_dontaudit_write_fixed_disk(xdm_t)
+storage_dontaudit_setattr_fixed_disk(xdm_t)
+storage_dontaudit_raw_read_removable_device(xdm_t)
+storage_dontaudit_raw_write_removable_device(xdm_t)
+storage_dontaudit_setattr_removable_device(xdm_t)
+storage_dontaudit_rw_scsi_generic(xdm_t)
+
+term_setattr_console(xdm_t)
+term_dontaudit_use_console(xdm_t)
+term_use_unallocated_tty(xdm_t)
+term_setattr_unallocated_ttys(xdm_t)
+
 auth_rw_lastlog(xdm_t)
+auth_read_login_records(xdm_t)
 auth_append_login_records(xdm_t)
+auth_manage_pam_pid(xdm_t)
+auth_exec_pam(xdm_t)
+auth_manage_pam_console_data(xdm_t)
 
 init_rw_utmp(xdm_t)
-# for reboot
+init_use_script_pty(xdm_t)
+# Run telinit->init to shutdown.
+init_exec(xdm_t)
 init_write_initctl(xdm_t)
 
+libs_use_ld_so(xdm_t)
+libs_use_shared_libs(xdm_t)
 libs_exec_lib_files(xdm_t)
 
+logging_send_syslog_msg(xdm_t)
+logging_read_generic_logs(xdm_t)
+
+miscfiles_read_localization(xdm_t)
+miscfiles_read_fonts(xdm_t)
+
 seutil_read_config(xdm_t)
 seutil_read_default_contexts(xdm_t)
 
+sysnet_read_config(xdm_t)
+
+userdom_dontaudit_use_unpriv_user_fd(xdm_t)
+userdom_dontaudit_search_sysadm_home_dir(xdm_t)
+# for .dmrc
+userdom_read_unpriv_user_home_files(xdm_t)
+# Search /proc for any user domain processes.
+userdom_read_all_userdomains_state(xdm_t)
+
 ifdef(`strict_policy',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_filetrans_lock(xdm_t,xdm_lock_t)
@@ -122,7 +209,18 @@ ifdef(`strict_policy',`
 	allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
 	files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
 
+	domain_subj_id_change_exempt(xdm_t)
+	domain_role_change_exempt(xdm_t)
+	domain_obj_id_change_exempt(xdm_t)
+
+	auth_domtrans_chk_passwd(xdm_t)
+	auth_domtrans_pam_console(xdm_t)	
+
 	xserver_dontaudit_read_all_users_iceauth(xdm_t)
+
+	optional_policy(`alsa',`
+		alsa_domtrans(xdm_t)
+	')
 ')
 
 ifdef(`targeted_policy',`
@@ -131,6 +229,12 @@ ifdef(`targeted_policy',`
 	unconfined_domtrans(xdm_t)
 ')
 
+optional_policy(`gpm',`
+	# Talk to the console mouse server.
+	gpm_stream_connect(xdm_t)
+	gpm_setattr_gpmctl(xdm_t)
+')
+
 optional_policy(`hostname',`
 	hostname_exec(xdm_t)
 ')
@@ -143,14 +247,28 @@ optional_policy(`locallogin',`
 	locallogin_signull(xdm_t)
 ')
 
+optional_policy(`nscd',`
+	nscd_use_socket(xdm_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(xdm_t)
+')
+
+optional_policy(`udev',`
+	udev_read_db(xdm_t)
+')
+
 optional_policy(`userhelper',`
 	userhelper_dontaudit_search_config(xdm_t)
 ')
 
+optional_policy(`usermanage',`
+	usermanage_read_crack_db(xdm_t)
+')
+
 ifdef(`TODO',`
 # cjp: TODO: integrate strict policy:
-daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
-
 allow initrc_t xdm_var_run_t:fifo_file unlink;
 
 # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
@@ -159,8 +277,6 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 allow xdm_xserver_t xdm_var_run_t:file { getattr read };
 
-can_network(xdm_t)
-
 allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -207,22 +323,9 @@ allow xdm_xserver_t sysadm_t:fd use;
 rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
 allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
 
-allow xdm_t xdm_xserver_t:process sigkill;
-allow xdm_t xdm_xserver_tmp_t:file unlink;
-
-# Access devices.
-allow xdm_t console_device_t:chr_file setattr;
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-allow xdm_t framebuf_device_t:chr_file { getattr setattr };
+
-allow xdm_t mouse_device_t:chr_file { getattr setattr };
-allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
-allow xdm_t dri_device_t:chr_file rw_file_perms;
 allow xdm_t device_t:dir rw_dir_perms;
-allow xdm_t agp_device_t:chr_file rw_file_perms;
-allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
-allow xdm_t v4l_device_t:chr_file { setattr getattr };
-allow xdm_t scanner_device_t:chr_file { setattr getattr };
-allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
 can_resmgrd_connect(xdm_t)
 
 # Access xdm log files.
@@ -243,14 +346,6 @@ allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
 allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
 allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
 
-ifdef(`gpm.te', `
-# Talk to the console mouse server.
-allow xdm_t gpmctl_t:sock_file { getattr setattr write };
-allow xdm_t gpm_t:unix_stream_socket connectto;
-')
-
-allow xdm_t sysfs_t:dir search;
-
 # Need to further investigate these permissions and
 # perhaps define derived types.
 allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
@@ -266,35 +361,12 @@ can_unix_connect(xdm_t, xfs_t)
 # Signal any user domain.
 allow xdm_t userdomain:process signal_perms;
 
-# Search /proc for any user domain processes.
-allow xdm_t userdomain:dir r_dir_perms;
-allow xdm_t userdomain:{ file lnk_file } r_file_perms;
-
-# Allow xdm access to the user domains
-allow xdm_t home_root_t:dir search;
-allow xdm_xserver_t home_root_t:dir search;
-
 # Do not audit denied attempts to access devices.
-dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
-dontaudit xdm_t device_t:file_class_set rw_file_perms;
-dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
 dontaudit xdm_t devpts_t:dir search;
 
-# Do not audit denied probes of /proc.
-dontaudit xdm_t domain:dir r_dir_perms;
-dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
-
-# Read fonts
-read_fonts(xdm_t)
-
 # Do not audit attempts to write to index files under /usr
 dontaudit xdm_t usr_t:file write;
 
-# Do not audit access to /root
-dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
-
 # Do not audit user access to the X log files due to file handle inheritance
 dontaudit unpriv_userdomain xserver_log_t:file { write append };
 
@@ -302,12 +374,6 @@ dontaudit unpriv_userdomain xserver_log_t:file { write append };
 dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
 dontaudit xdm_t mail_spool_t:file getattr;
 
-# Access sound device.
-allow xdm_t sound_device_t:chr_file { setattr getattr };
-
-# Allow setting of attributes on power management devices.
-allow xdm_t power_device_t:chr_file { getattr setattr };
-
 # Run the X server in a derived domain.
 xserver_domain(xdm)
 
@@ -317,28 +383,10 @@ allow xdm_xserver_t ramfs_t:file create_file_perms;
 allow rhgb_t xdm_xserver_t:process signal;
 ')
 
-# Unrestricted inheritance.
-allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
-
-# Run xkbcomp.
-allow xdm_xserver_t var_lib_t:dir search;
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-
-optional_policy(`prelink',`
-	prelink_object_file(xkb_var_lib_t)
-')
-
 # Insert video drivers.  
-allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
-domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
 allow insmod_t xserver_log_t:file write;
 allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
 
-# Read /proc/dri/.*
-allow xdm_xserver_t proc_t:dir { search read };
-
 # Search /var/run.
 allow xdm_xserver_t var_run_t:dir search;
 
@@ -348,6 +396,7 @@ allow xdm_xserver_t var_run_t:dir search;
 # (xauth?)
 
 # Search home directories.
+allow xdm_xserver_t home_root_t:dir search;
 allow xdm_xserver_t user_home_type:dir search;
 allow xdm_xserver_t user_home_type:file { getattr read };
 
@@ -364,13 +413,9 @@ allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
 can_exec(xdm_t, cifs_t)
 }
 
-# for .dmrc
-allow xdm_t user_home_dir_type:dir { getattr search };
-allow xdm_t user_home_type:file { getattr read };
-
 ifdef(`support_polyinstatiation', `
 # xdm_t can polyinstantiate
-polyinstantiater(xdm_t)
+files_polyinstantiate_all(xdm_t)
 # xdm needs access for linking .X11-unix to poly /tmp
 allow xdm_t polymember:dir { add_name remove_name write };
 allow xdm_t polymember:lnk_file { create unlink };
@@ -378,7 +423,6 @@ allow xdm_t polymember:lnk_file { create unlink };
 allow xdm_t polymember:file { create getattr write };
 ')
 
-allow xdm_t mnt_t:dir { getattr read search };
 #
 # Wants to delete .xsession-errors file
 #
@@ -386,46 +430,10 @@ allow xdm_t user_home_type:file unlink;
 #
 # Should fix exec of pam_timestamp_check is not closing xdm file descriptor
 #
-ifdef(`pam.te', `
-allow xdm_t pam_var_run_t:dir create_dir_perms;
-allow xdm_t pam_var_run_t:file create_file_perms;
 allow pam_t xdm_t:fifo_file { getattr ioctl write };
-domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
-can_exec(xdm_t, pam_exec_t)
-# For pam_console
-rw_dir_create_file(xdm_t, pam_var_console_t)
-')
-
-# Pamconsole/alsa 
-ifdef(`alsa.te', `
-domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
-') dnl ifdef
-
-allow xdm_t var_log_t:file { getattr read };
-allow xdm_t wtmp_t:file { getattr read };
-
-#
-# Poweroff wants to create the /poweroff file when run from xdm
-#
-file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
-
-#
-# xdm tries to bind to biff_port_t
-#
-dontaudit xdm_t port_type:tcp_socket name_bind;
 
 # VNC v4 module in X server
-allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; 
+corenet_tcp_bind_vnc_port(xdm_xserver_t)
-ifdef(`crack.te', `
-allow xdm_t crack_db_t:file r_file_perms;
-')
-
-# Run telinit->init to shutdown.
-can_exec(xdm_t, init_exec_t)
-allow xdm_t self:sem create_sem_perms;
-
-# Allow gdm to run gdm-binary
-can_exec(xdm_t, xdm_exec_t)
 
 # Supress permission check on .ICE-unix
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };

refpolicy/policy/modules/services/xserver.if

@@ -68,6 +68,7 @@ template(`xserver_common_domain_template',`
 
 	kernel_read_system_state($1_xserver_t)
 	kernel_read_device_sysctl($1_xserver_t)
+	kernel_read_modprobe_sysctl($1_xserver_t)
 	# Xorg wants to check if kernel is tainted
 	kernel_read_kernel_sysctl($1_xserver_t)
 
@@ -129,6 +130,8 @@ template(`xserver_common_domain_template',`
 	miscfiles_read_localization($1_xserver_t)
 	miscfiles_read_fonts($1_xserver_t)
 
+	modutils_domtrans_insmod($1_xserver_t)
+
 	seutil_dontaudit_search_config($1_xserver_t)
 
 	sysnet_read_config($1_xserver_t)
@@ -147,10 +150,6 @@ template(`xserver_common_domain_template',`
 
 	ifdef(`TODO',`
 	ifdef(`distro_redhat',`
-		kernel_read_modprobe_sysctl($1_xserver_t)
-
-		modutils_domtrans_insmod($1_xserver_t)
-
 		ifdef(`rpm.te', `
 			allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 			allow $1_xserver_t rpm_tmpfs_t:file { read write };
@@ -430,8 +429,9 @@ template(`xserver_displaymgr_domain_template',`
 	allow $1_xserver_t $2:fd use;
 	allow $1_xserver_t $2:fifo_file rw_file_perms;
 	allow $1_xserver_t $2:process { signal sigchld };
+	allow $2 $1_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
-	allow $2 $1_xserver_t:process signal;
+	allow $2 $1_xserver_tmp_t:file unlink;
 
 	allow $2 $1_xserver_tmp_t:dir r_dir_perms;
 	allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
@@ -440,6 +440,11 @@ template(`xserver_displaymgr_domain_template',`
 	allow $2 $1_xserver_t:shm rw_shm_perms;
 	allow $1_xserver_t $2:shm rw_shm_perms;
 
+	# Run xkbcomp.
+	can_exec($1_xserver_t, xkb_var_lib_t)
+	allow $1_xserver_t xkb_var_lib_t:lnk_file read;
+	files_search_var_lib($1_xserver_t)
+
 	init_use_fd($1_xserver_t)
 
 	userdom_dontaudit_search_all_users_home($1_xserver_t)

refpolicy/policy/modules/services/xserver.te

@@ -28,3 +28,7 @@ files_type(xserver_exec_t)
 # Type for the X server log file.
 type xserver_log_t;
 logging_log_file(xserver_log_t)
+
+optional_policy(`prelink',`
+	prelink_object_file(xkb_var_lib_t)
+')