# # Macros for X server domains. # # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # ################################# # # xserver_domain(domain_prefix) # # Define a derived domain for the X server when executed # by a user domain (e.g. via startx). See the xdm_t domain # in domains/program/xdm.te if using an X Display Manager. # # The type declarations for the executable type for this program # and the log type are provided separately in domains/program/xserver.te. # # FIXME! The X server requires far too many privileges. # undefine(`xserver_domain') ifdef(`xserver.te', ` define(`xserver_domain',` # Derived domain based on the calling user domain and the program. ifdef(`distro_redhat', ` type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain; allow $1_xserver_t sysctl_modprobe_t:file { getattr read }; ifdef(`rpm.te', ` allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; allow $1_xserver_t rpm_tmpfs_t:file { read write }; allow $1_xserver_t rpm_t:fd use; ') ', ` type $1_xserver_t, domain, privlog, privmem, nscd_client_domain; ') # for SSP allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl }; # Transition from the user domain to this domain. ifelse($1, xdm, ` ifdef(`xdm.te', ` domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) ') ', ` domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t) ')dnl end ifelse xdm can_exec($1_xserver_t, xserver_exec_t) uses_shlib($1_xserver_t) allow $1_xserver_t texrel_shlib_t:file execmod; can_network($1_xserver_t) allow $1_xserver_t port_type:tcp_socket name_connect; can_ypbind($1_xserver_t) allow $1_xserver_t xserver_port_t:tcp_socket name_bind; # for access within the domain general_domain_access($1_xserver_t) allow $1_xserver_t self:process execmem; # Until the X module loader is fixed. allow $1_xserver_t self:process execheap; allow $1_xserver_t etc_runtime_t:file { getattr read }; ifelse($1, xdm, ` # The system role is authorised for the xdm and initrc domains role system_r types xdm_xserver_t; allow xdm_xserver_t init_t:fd use; dontaudit xdm_xserver_t home_dir_type:dir { read search }; # Read all global and per user fonts read_fonts($1_xserver_t, sysadm) read_fonts($1_xserver_t, staff) read_fonts($1_xserver_t, user) ', ` # The user role is authorized for this domain. role $1_r types $1_xserver_t; allow $1_xserver_t getty_t:fd use; allow $1_xserver_t local_login_t:fd use; allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms }; allow $1_xserver_t $1_tmpfs_t:file rw_file_perms; allow $1_t $1_xserver_tmpfs_t:file rw_file_perms; can_unix_connect($1_t, $1_xserver_t) # Read fonts read_fonts($1_xserver_t, $1) # Access the home directory. allow $1_xserver_t home_root_t:dir search; allow $1_xserver_t $1_home_dir_t:dir { getattr search }; ifdef(`xauth.te', ` domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) allow $1_xserver_t $1_xauth_home_t:file { getattr read }; ', ` allow $1_xserver_t $1_home_t:file { getattr read }; ')dnl end ifdef xauth ifdef(`userhelper.te', ` allow $1_xserver_t userhelper_conf_t:dir search; ')dnl end ifdef userhelper ')dnl end ifelse xdm allow $1_xserver_t self:process setsched; allow $1_xserver_t fs_t:filesystem getattr; # Xorg wants to check if kernel is tainted read_sysctl($1_xserver_t) # Use capabilities. # allow setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer # sys_admin, locking shared mem? chowning IPC message queues or semaphores? # admin of APM bios? # sys_nice is so that the X server can set a negative nice value allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; allow $1_xserver_t nfs_t:dir { getattr search }; # memory_device_t access is needed if not using the frame buffer #dontaudit $1_xserver_t memory_device_t:chr_file read; allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute }; # net_bind_service is needed if you want your X server to allow TCP connections # from other hosts, EG an XDM serving a network of X terms # if you want good security you do not want this # not sure why some people want chown, fsetid, and sys_tty_config. #allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config }; dontaudit $1_xserver_t self:capability chown; # for nscd dontaudit $1_xserver_t var_run_t:dir search; allow $1_xserver_t mtrr_device_t:file rw_file_perms; allow $1_xserver_t apm_bios_t:chr_file rw_file_perms; allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms; allow $1_xserver_t device_t:lnk_file { getattr read }; allow $1_xserver_t devtty_t:chr_file rw_file_perms; allow $1_xserver_t zero_device_t:chr_file { read write execute }; # Type for temporary files. tmp_domain($1_xserver, `', `{ dir file sock_file }') file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) ifelse($1, xdm, ` ifdef(`xdm.te', ` allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; allow xdm_t $1_xserver_t:process signal; can_unix_connect(xdm_t, xdm_xserver_t) allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; allow xdm_xserver_t xdm_t:process signal; allow xdm_xserver_t xdm_t:shm rw_shm_perms; allow xdm_t xdm_xserver_t:shm rw_shm_perms; dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; ') ', ` allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; allow $1_t xdm_xserver_t:unix_stream_socket connectto; allow $1_t $1_xserver_t:process signal; # Allow the user domain to connect to the X server. can_unix_connect($1_t, $1_xserver_t) allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms; allow $1_t $1_xserver_tmp_t:dir r_dir_perms; ifdef(`xdm.te', ` allow $1_t xdm_tmp_t:sock_file unlink; allow $1_xserver_t xdm_var_run_t:dir search; ') # Signal the user domain. allow $1_xserver_t $1_t:process signal; # Communicate via System V shared memory. allow $1_xserver_t $1_t:shm rw_shm_perms; allow $1_t $1_xserver_t:shm rw_shm_perms; allow $1_xserver_t initrc_t:shm rw_shm_perms; ')dnl end ifelse xdm # Create files in /var/log with the xserver_log_t type. allow $1_xserver_t var_t:dir search; file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file) allow $1_xserver_t xserver_log_t:dir r_dir_perms; # Access AGP device. allow $1_xserver_t agp_device_t:chr_file rw_file_perms; # for other device nodes such as the NVidia binary-only driver allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms; # Access /proc/mtrr allow $1_xserver_t proc_t:file rw_file_perms; allow $1_xserver_t proc_t:lnk_file { getattr read }; # Access /proc/sys/dev allow $1_xserver_t sysctl_dev_t:dir search; allow $1_xserver_t sysctl_dev_t:file { getattr read }; # Access /proc/bus/pci allow $1_xserver_t proc_t:dir r_dir_perms; # Create and access /dev/dri devices. allow $1_xserver_t device_t:dir { create setattr }; file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file) # brought on by rhgb allow $1_xserver_t mnt_t:dir search; allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms }; # Run helper programs in $1_xserver_t. allow $1_xserver_t { bin_t sbin_t }:dir search; allow $1_xserver_t etc_t:{ file lnk_file } { getattr read }; allow $1_xserver_t bin_t:lnk_file read; can_exec($1_xserver_t, { bin_t shell_exec_t }) # Connect to xfs. ifdef(`xfs.te', ` can_unix_connect($1_xserver_t, xfs_t) allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; # Bind to the X server socket in /tmp. allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind; ') read_locale($1_xserver_t) # Type for tmpfs/shm files. tmpfs_domain($1_xserver) ifelse($1, xdm, ` ifdef(`xdm.te', ` allow xdm_xserver_t xdm_t:shm rw_shm_perms; allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; ') ', ` allow $1_xserver_t $1_t:shm rw_shm_perms; rw_dir_file($1_xserver_t, $1_tmpfs_t) ')dnl end ifelse xdm r_dir_file($1_xserver_t,sysfs_t) # Use the mouse. allow $1_xserver_t mouse_device_t:chr_file rw_file_perms; # Allow xserver to read events - the synaptics touchpad # driver reads raw events allow $1_xserver_t event_device_t:chr_file rw_file_perms; ifdef(`pamconsole.te', ` allow $1_xserver_t pam_var_console_t:dir search; ') dontaudit $1_xserver_t selinux_config_t:dir search; allow $1_xserver_t var_lib_t:dir search; rw_dir_create_file($1_xserver_t, xkb_var_lib_t) ')dnl end macro definition ', ` define(`xserver_domain',`') ')