## X Windows Server ######################################## ## ## Rules required for using the X Windows server ## and environment. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_role',` gen_require(` type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; type info_xproperty_t, rootwindow_t; class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; class x_gc all_x_gc_perms; class x_font all_x_font_perms; class x_colormap all_x_colormap_perms; class x_property all_x_property_perms; class x_selection all_x_selection_perms; class x_cursor all_x_cursor_perms; class x_client all_x_client_perms; class x_device all_x_device_perms; class x_server all_x_server_perms; class x_extension all_x_extension_perms; class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; ') role $1 types { xserver_t xauth_t iceauth_t }; domtrans_pattern($2, xserver_exec_t, xserver_t) allow xserver_t $2:process signal; allow xserver_t $2:shm rw_shm_perms; manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) allow $2 xserver_tmpfs_t:file rw_file_perms; # Communicate via System V shared memory. allow xserver_t $2:shm rw_shm_perms; allow $2 xserver_t:shm rw_shm_perms; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) domtrans_pattern($2, iceauth_exec_t, iceauth_t) allow $2 iceauth_home_t:file manage_file_perms; allow $2 iceauth_home_t:file { relabelfrom relabelto }; domtrans_pattern($2, xauth_exec_t, xauth_t) allow $2 xauth_t:process signal; # allow ps to show xauth ps_process_pattern($2,xauth_t) allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; xserver_common_x_domain_template(user, $2) ############################## # # User X object manager local policy # # manage: xhost X11:ChangeHosts # freeze: metacity X11:GrabKey # force_cursor: metacity X11:GrabPointer allow $2 xserver_t:x_device { manage freeze force_cursor }; # gnome-settings-daemon XKEYBOARD:SetControls allow $2 xserver_t:x_server manage; # gnome-settings-daemon RANDR:SelectInput allow $2 xserver_t:x_resource write; # metacity X11:InstallColormap X11:UninstallColormap allow $2 rootwindow_t:x_colormap { install uninstall }; # read: gnome-settings-daemon RANDR:GetScreenSizeRange # write: gnome-settings-daemon RANDR:SelectInput # setattr: gnome-settings-daemon X11:GrabKey # manage: metacity X11:ChangeWindowAttributes allow $2 rootwindow_t:x_drawable { read write manage setattr }; # setattr: metacity X11:InstallColormap allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create append write }; ') ####################################### ## ## Create sessions on the X server, with read-only ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_ro_session',` gen_require(` type xserver_t, xserver_tmp_t, xserver_tmpfs_t; ') # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; allow xserver_t $2:file rw_file_perms; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; allow $1 xserver_t:process signal; # Read /tmp/.X0-lock allow $1 xserver_tmp_t:file { getattr read }; # Client read xserver shm allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; allow $1 xserver_tmpfs_t:file read_file_perms; ') ####################################### ## ## Create sessions on the X server, with read and write ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_rw_session',` gen_require(` type xserver_t, xserver_tmpfs_t; ') xserver_ro_session($1,$2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') ####################################### ## ## Create full client sessions ## on a user X server. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_user_client',` # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $1 self:shm create_shm_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $1 xauth_home_t:file { getattr read }; allow $1 iceauth_home_t:file { getattr read }; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file { getattr read write ioctl }; allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($1) miscfiles_read_fonts($1) userdom_search_user_home_dirs($1) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) xserver_read_xdm_tmp_files($1) # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## # template(`xserver_common_x_domain_template',` gen_require(` type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t; type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t; type $1_client_xevent_t; type rootwindow_t, xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; attribute x_domain; attribute xproperty_type; attribute xevent_type; attribute input_xevent_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; ') ############################## # # Local Policy # # Type attributes typeattribute $2 x_domain; # X Properties # can read and write client properties allow $2 $1_xproperty_t:x_property { create destroy read write append }; type_transition $2 xproperty_t:x_property $1_xproperty_t; # X Windows # new windows have the domain type type_transition $2 rootwindow_t:x_drawable $2; # X Input # can receive own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive; type_transition $2 input_xevent_t:x_event $1_input_xevent_t; type_transition $2 property_xevent_t:x_event $1_property_xevent_t; type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t; type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; type_transition $2 client_xevent_t:x_event $1_client_xevent_t; type_transition $2 xevent_t:x_event $1_default_xevent_t; # can send ICCCM events to myself allow $2 $1_manage_xevent_t:x_synthetic_event send; ') ####################################### ## ## Template for creating the set of types used ## in an X windows domain. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## # template(`xserver_object_types_template',` gen_require(` attribute xproperty_type, input_xevent_type, xevent_type; ') ############################## # # Declarations # # Types for properties type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type; ubac_constrained($1_xproperty_t) # Types for events type $1_input_xevent_t, input_xevent_type, xevent_type; ubac_constrained($1_input_xevent_t) type $1_property_xevent_t, xevent_type; ubac_constrained($1_property_xevent_t) type $1_focus_xevent_t, xevent_type; ubac_constrained($1_focus_xevent_t) type $1_manage_xevent_t, xevent_type; ubac_constrained($1_manage_xevent_t) type $1_default_xevent_t, xevent_type; ubac_constrained($1_default_xevent_t) type $1_client_xevent_t, xevent_type; ubac_constrained($1_client_xevent_t) ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # template(`xserver_user_x_domain_template',` gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $2 self:shm create_shm_perms; allow $2 self:unix_dgram_socket create_socket_perms; allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($2) miscfiles_read_fonts($2) userdom_search_user_home_dirs($2) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) # X object manager xserver_object_types_template($1) xserver_common_x_domain_template($1,$2) # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') ') ######################################## ## ## Read user fonts, user font configuration, ## and manage the user font cache. ## ## ##

## Read user fonts, user font configuration, ## and manage the user font cache. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## # interface(`xserver_use_user_fonts',` gen_require(` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) # Read per user font config allow $1 user_fonts_config_t:dir list_dir_perms; allow $1 user_fonts_config_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_domtrans_xauth',` gen_require(` type xauth_t, xauth_exec_t; ') domtrans_pattern($1, xauth_exec_t, xauth_t) ') ######################################## ## ## Create a Xauthority file in the user home directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` type xauth_home_t; ') userdom_user_home_dir_filetrans($1, xauth_home_t, file) ') ######################################## ## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_all_users_fonts',` refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') xserver_use_user_fonts($1) ') ######################################## ## ## Read all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_xauth',` gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Set the attributes of the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_console_pipes',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file setattr; ') ######################################## ## ## Read and write the X windows console named pipe. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_console',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Use file descriptors for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_xdm_fds',` gen_require(` type xdm_t; ') allow $1 xdm_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit ## XDM file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_use_xdm_fds',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fd use; ') ######################################## ## ## Read and write XDM unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_pipes',` gen_require(` type xdm_t; ') allow $1 xdm_t:fifo_file { getattr read write }; ') ######################################## ## ## Do not audit attempts to read and write ## XDM unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_xdm_pipes',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Connect to XDM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) ') ######################################## ## ## Read xdm-writable configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_rw_config',` gen_require(` type xdm_rw_etc_t; ') files_search_etc($1) allow $1 xdm_rw_etc_t:file read_file_perms; ') ######################################## ## ## Set the attributes of XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_xdm_tmp_dirs',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir setattr; ') ######################################## ## ## Create a named socket in a XDM ## temporary directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_create_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Read XDM pid files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_pid',` gen_require(` type xdm_var_run_t; ') files_search_pids($1) allow $1 xdm_var_run_t:file read_file_perms; ') ######################################## ## ## Read XDM var lib files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_lib_files',` gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:file read_file_perms; ') ######################################## ## ## Make an X session script an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`xserver_xsession_entry_type',` gen_require(` type xsession_exec_t; ') domain_entry_file($1, xsession_exec_t) ') ######################################## ## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute an Xsession in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the shell process. ## ## # interface(`xserver_xsession_spec_domtrans',` gen_require(` type xsession_exec_t; ') domain_trans($1, xsession_exec_t, $2) ') ######################################## ## ## Get the attributes of X server logs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_getattr_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file getattr; ') ######################################## ## ## Do not audit attempts to write the X server ## log files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_dontaudit_write_log',` gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:file { append write }; ') ######################################## ## ## Do not audit attempts to write the X server ## log files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_delete_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:dir list_dir_perms; delete_files_pattern($1, xserver_log_t, xserver_log_t) delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) ') ######################################## ## ## Read X keyboard extension libraries. ## ## ## ## Domain to not audit ## ## # interface(`xserver_read_xkb_libs',` gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ') ######################################## ## ## Read xdm temporary files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Do not audit attempts to read xdm temporary files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_dontaudit_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') dontaudit $1 xdm_tmp_t:dir search_dir_perms; dontaudit $1 xdm_tmp_t:file read_file_perms; ') ######################################## ## ## Read write xdm temporary files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_rw_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete xdm temporary files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_manage_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## dontaudit getattr xdm temporary named sockets. ## ## ## ## Domain to not audit ## ## # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') dontaudit $1 xdm_tmp_t:sock_file getattr; ') ######################################## ## ## Execute the X server in the X server domain. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_domtrans',` gen_require(` type xserver_t, xserver_exec_t; ') allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) ') ######################################## ## ## Signal X servers ## ## ## ## Domain to not audit ## ## # interface(`xserver_signal',` gen_require(` type xserver_t; ') allow $1 xserver_t:process signal; ') ######################################## ## ## Kill X servers ## ## ## ## Domain to not audit ## ## # interface(`xserver_kill',` gen_require(` type xserver_t; ') allow $1 xserver_t:process sigkill; ') ######################################## ## ## Read and write X server Sys V Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_shm',` gen_require(` type xserver_t; ') allow $1 xserver_t:shm rw_shm_perms; ') ######################################## ## ## Do not audit attempts to read and write to ## X server sockets. ## ## ## ## Domain to not audit ## ## # interface(`xserver_dontaudit_rw_tcp_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:tcp_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and write X server ## unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dontaudit_rw_stream_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:unix_stream_socket { read write }; ') ######################################## ## ## Connect to the X server over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect',` gen_require(` type xserver_t, xserver_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ') ######################################## ## ## Read X server temporary files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_read_tmp_files',` gen_require(` type xserver_tmp_t; ') allow $1 xserver_tmp_t:file read_file_perms; files_search_tmp($1) ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; ') typeattribute $1 xserver_unconfined_type; ')