## X Windows Server ######################################## ## ## Rules required for using the X Windows server ## and environment, for restricted users. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_restricted_role',` gen_require(` type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; class dbus send_msg; ') role $1 types { xserver_t xauth_t iceauth_t }; # Xserver read/write client shm allow xserver_t $2:fd use; allow xserver_t $2:shm rw_shm_perms; domtrans_pattern($2, xserver_exec_t, xserver_t) allow xserver_t $2:process { getpgid signal }; allow xserver_t $2:shm rw_shm_perms; allow $2 user_fonts_t:dir list_dir_perms; allow $2 user_fonts_t:file read_file_perms; allow $2 user_fonts_t:lnk_file read_lnk_file_perms; allow $2 user_fonts_config_t:dir list_dir_perms; allow $2 user_fonts_config_t:file read_file_perms; manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) allow $2 xserver_tmp_t:sock_file unlink; files_search_tmp($2) # Communicate via System V shared memory. allow $2 xserver_t:shm r_shm_perms; allow $2 xserver_tmpfs_t:file read_file_perms; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) domtrans_pattern($2, iceauth_exec_t, iceauth_t) allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) allow $2 xauth_t:process signal; # allow ps to show xauth ps_process_pattern($2, xauth_t) allow $2 xserver_t:process signal; allow $2 xauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; dontaudit $2 xdm_tmp_t:dir setattr; allow $2 xdm_t:dbus send_msg; allow xdm_t $2:dbus send_msg; # Client read xserver shm allow $2 xserver_t:fd use; allow $2 xserver_tmpfs_t:file read_file_perms; # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file { getattr read }; dev_rw_xserver_misc($2) dev_rw_power_management($2) dev_read_input($2) dev_read_misc($2) dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) # GNOME checks for usb and other devices: dev_rw_usbfs($2) miscfiles_read_fonts($2) miscfiles_setattr_fonts_cache_dirs($2) xserver_common_x_domain_template(user, $2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) # certain apps want to read xdm.pid file xserver_read_xdm_pid($2) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) ifdef(`hide_broken_symptoms',` dontaudit iceauth_t $2:socket_class_set { read write }; ') # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') tunable_policy(`user_direct_dri',` dev_rw_dri($2) ') ') ######################################## ## ## Rules required for using the X Windows server ## and environment. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') xserver_restricted_role($1, $2) # Communicate via System V shared memory. allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; allow $2 iceauth_home_t:file relabel_file_perms; allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file relabel_file_perms; mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) allow $2 user_fonts_t:lnk_file read_lnk_file_perms; relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) ') ####################################### ## ## Create sessions on the X server, with read-only ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_ro_session',` gen_require(` type xserver_t, xserver_tmp_t, xserver_tmpfs_t; ') # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; allow xserver_t $2:file rw_file_perms; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; allow $1 xserver_t:process signal; # Read /tmp/.X0-lock allow $1 xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; allow $1 xserver_tmpfs_t:file read_file_perms; ') ####################################### ## ## Create sessions on the X server, with read and write ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_rw_session',` gen_require(` type xserver_t, xserver_tmpfs_t; ') xserver_ro_session($1,$2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') ####################################### ## ## Create non-drawing client sessions on an X server. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_non_drawing_client',` gen_require(` class x_drawable { getattr get_property }; class x_extension { query use }; class x_gc { create setattr }; class x_property read; type xserver_t, xdm_var_run_t; type xextension_t, xproperty_t, root_xdrawable_t; ') allow $1 self:x_gc { create setattr }; allow $1 xdm_var_run_t:dir search; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; allow $1 root_xdrawable_t:x_drawable { getattr get_property }; allow $1 xproperty_t:x_property read; ') ####################################### ## ## Create full client sessions ## on a user X server. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $1 self:shm create_shm_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $1 xauth_home_t:file read_file_perms; allow $1 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($1) miscfiles_read_fonts($1) userdom_search_user_home_dirs($1) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) xserver_read_xdm_tmp_files($1) # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## # template(`xserver_common_x_domain_template',` gen_require(` type root_xdrawable_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; attribute x_domain; attribute xdrawable_type, xcolormap_type; attribute input_xevent_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; class x_client destroy; class x_server manage; class x_screen { saver_setattr saver_hide saver_show }; class x_pointer { get_property set_property manage }; class x_keyboard { read manage }; type xdm_t, xserver_t; ') ############################## # # Local Policy # # Type attributes typeattribute $2 x_domain; typeattribute $2 xdrawable_type, xcolormap_type; # X Properties # disable property transitions for the time being. # type_transition $2 xproperty_t:x_property $1_xproperty_t; # X Windows # new windows have the domain type type_transition $2 root_xdrawable_t:x_drawable $2; # X Input # distinguish input events type_transition $2 input_xevent_t:x_event $1_input_xevent_t; # can send own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; # can receive own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; # can receive default events allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; allow $2 xdm_t:x_drawable { hide read add_child manage }; allow $2 xdm_t:x_client destroy; allow $2 root_xdrawable_t:x_drawable write; allow $2 xserver_t:x_server manage; allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show }; allow $2 xserver_t:x_pointer { get_property set_property manage }; allow $2 xserver_t:x_keyboard { read manage }; ') ####################################### ## ## Template for creating the set of types used ## in an X windows domain. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## # template(`xserver_object_types_template',` gen_require(` attribute xproperty_type, input_xevent_type, xevent_type; ') ############################## # # Declarations # # Types for properties type $1_xproperty_t, xproperty_type; ubac_constrained($1_xproperty_t) # Types for events type $1_input_xevent_t, input_xevent_type, xevent_type; ubac_constrained($1_input_xevent_t) ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # template(`xserver_user_x_domain_template',` gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $2 self:shm create_shm_perms; allow $2 self:unix_dgram_socket create_socket_perms; allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($2) miscfiles_read_fonts($2) userdom_search_user_home_dirs($2) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) xserver_ro_session($2, $3) xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) xserver_read_xdm_pid($2) # X object manager xserver_object_types_template($1) xserver_common_x_domain_template($1, $2) # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') tunable_policy(`user_direct_dri',` dev_rw_dri($2) ') ') ######################################## ## ## Read user fonts, user font configuration, ## and manage the user font cache. ## ## ##

## Read user fonts, user font configuration, ## and manage the user font cache. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## # interface(`xserver_use_user_fonts',` gen_require(` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; allow $1 user_fonts_t:lnk_file read_lnk_file_perms; # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) # Read per user font config allow $1 user_fonts_config_t:dir list_dir_perms; allow $1 user_fonts_config_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans_xauth',` gen_require(` type xauth_t, xauth_exec_t; ') domtrans_pattern($1, xauth_exec_t, xauth_t) ifdef(`hide_broken_symptoms',` dontaudit xauth_t $1:socket_class_set { read write }; ') ') ######################################## ## ## Dontaudit exec of Xauthority program. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dontaudit_exec_xauth',` gen_require(` type xauth_exec_t; ') dontaudit $1 xauth_exec_t:file execute; ') ######################################## ## ## Create a Xauthority file in the user home directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` type xauth_home_t; ') userdom_user_home_dir_filetrans($1, xauth_home_t, file) ') ######################################## ## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_all_users_fonts',` refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') xserver_use_user_fonts($1) ') ######################################## ## ## Read all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_xauth',` gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) xserver_read_xdm_pid($1) ') ######################################## ## ## Set the attributes of the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_console_pipes',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file setattr; ') ######################################## ## ## Read and write the X windows console named pipe. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_console',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Use file descriptors for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_xdm_fds',` gen_require(` type xdm_t; ') allow $1 xdm_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit ## XDM file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_use_xdm_fds',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fd use; ') ######################################## ## ## Read and write XDM unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_pipes',` gen_require(` type xdm_t; ') allow $1 xdm_t:fifo_file { getattr read write }; ') ######################################## ## ## Do not audit attempts to read and write ## XDM unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_xdm_pipes',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Connect to XDM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_tmp_t; type xdm_var_run_t; ') files_search_tmp($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ') ######################################## ## ## Read xdm-writable configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_rw_config',` gen_require(` type xdm_rw_etc_t; ') files_search_etc($1) allow $1 xdm_rw_etc_t:file read_file_perms; ') ######################################## ## ## Set the attributes of XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_xdm_tmp_dirs',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir setattr; ') ######################################## ## ## Create a named socket in a XDM ## temporary directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_create_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Read XDM pid files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_pid',` gen_require(` type xdm_var_run_t; ') files_search_pids($1) read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ') ######################################## ## ## Read XDM var lib files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_lib_files',` gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:file read_file_perms; ') ######################################## ## ## Make an X session script an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`xserver_xsession_entry_type',` gen_require(` type xsession_exec_t; ') domain_entry_file($1, xsession_exec_t) ') ######################################## ## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute an Xsession in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # interface(`xserver_xsession_spec_domtrans',` gen_require(` type xsession_exec_t; ') domain_trans($1, xsession_exec_t, $2) ') ######################################## ## ## Get the attributes of X server logs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_getattr_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file getattr; ') ######################################## ## ## Do not audit attempts to write the X server ## log files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_write_log',` gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:file rw_inherited_file_perms; ') ######################################## ## ## Delete X server log files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_delete_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:dir list_dir_perms; delete_files_pattern($1, xserver_log_t, xserver_log_t) delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) ') ######################################## ## ## Read X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xkb_libs',` gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ') ######################################## ## ## Read xdm config files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_read_xdm_etc_files',` gen_require(` type xdm_etc_t; ') files_search_etc($1) read_files_pattern($1, xdm_etc_t, xdm_etc_t) ') ######################################## ## ## Manage xdm config files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_manage_xdm_etc_files',` gen_require(` type xdm_etc_t; ') files_search_etc($1) manage_files_pattern($1, xdm_etc_t, xdm_etc_t) ') ######################################## ## ## Read xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Do not audit attempts to read xdm temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') dontaudit $1 xdm_tmp_t:dir search_dir_perms; dontaudit $1 xdm_tmp_t:file read_file_perms; ') ######################################## ## ## Read write xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') dontaudit $1 xdm_tmp_t:sock_file getattr; ') ######################################## ## ## Execute the X server in the X server domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans',` gen_require(` type xserver_t, xserver_exec_t; ') allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) allow xserver_t $1:process getpgid; ') ######################################## ## ## Signal X servers ## ## ## ## Domain allowed access. ## ## # interface(`xserver_signal',` gen_require(` type xserver_t; ') allow $1 xserver_t:process signal; ') ######################################## ## ## Kill X servers ## ## ## ## Domain allowed access. ## ## # interface(`xserver_kill',` gen_require(` type xserver_t; ') allow $1 xserver_t:process sigkill; ') ######################################## ## ## Read and write X server Sys V Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_shm',` gen_require(` type xserver_t; ') allow $1 xserver_t:shm rw_shm_perms; ') ######################################## ## ## Do not audit attempts to read and write to ## X server sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_tcp_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:tcp_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and write X server ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_stream_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:unix_stream_socket { read write }; ') ######################################## ## ## Connect to the X server over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect',` gen_require(` type xserver_t, xserver_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) allow xserver_t $1:shm rw_shm_perms; ') ######################################## ## ## Read X server temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_tmp_files',` gen_require(` type xserver_tmp_t; ') allow $1 xserver_tmp_t:file read_file_perms; files_search_tmp($1) ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the ## virtual core keyboard and virtual core pointer devices. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_core_devices',` gen_require(` type xserver_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; class x_screen all_x_screen_perms; class x_drawable { manage }; type root_xdrawable_t; attribute x_domain; class x_drawable { read manage setattr show }; class x_resource { write read }; ') allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; allow $1 xserver_t:{ x_screen } setattr; allow $1 x_domain:x_drawable { read manage setattr show }; allow $1 x_domain:x_resource { write read }; allow $1 root_xdrawable_t:x_drawable { manage read }; ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_unconfined',` gen_require(` attribute x_domain; attribute xserver_unconfined_type; ') typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') ######################################## ## ## Dontaudit append to .xsession-errors file ## ## ## ## Domain to not audit ## ## # interface(`xserver_dontaudit_append_xdm_home_files',` gen_require(` type xdm_home_t; type xserver_tmp_t; ') dontaudit $1 xdm_home_t:file rw_inherited_file_perms; dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files($1) ') ') ######################################## ## ## append to .xsession-errors file ## ## ## ## Domain to not audit ## ## # interface(`xserver_append_xdm_home_files',` gen_require(` type xdm_home_t; type xserver_tmp_t; ') allow $1 xdm_home_t:file append_file_perms; allow $1 xserver_tmp_t:file append_file_perms; tunable_policy(`use_nfs_home_dirs',` fs_append_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_append_cifs_files($1) ') ') ######################################## ## ## Manage the xdm_spool files ## ## ## ## Domain allowed access. ## ## # interface(`xserver_xdm_manage_spool',` gen_require(` type xdm_spool_t; ') files_search_spool($1) manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ') ######################################## ## ## Send and receive messages from ## xdm over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dbus_chat_xdm',` gen_require(` type xdm_t; class dbus send_msg; ') allow $1 xdm_t:dbus send_msg; allow xdm_t $1:dbus send_msg; ') ######################################## ## ## Read xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_pid',` gen_require(` type xserver_var_run_t; ') files_search_pids($1) read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## ## Execute xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # interface(`xserver_exec_pid',` gen_require(` type xserver_var_run_t; ') files_search_pids($1) exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## ## Write xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # interface(`xserver_write_pid',` gen_require(` type xserver_var_run_t; ') files_search_pids($1) write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## ## Allow append the xdm ## log files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_xdm_append_log',` gen_require(` type xdm_log_t; attribute xdmhomewriter; ') typeattribute $1 xdmhomewriter; append_files_pattern($1, xdm_log_t, xdm_log_t) ') ######################################## ## ## Read a user Iceauthority domain. ## ## ## ## Domain allowed access. ## ## # template(`xserver_read_user_iceauth',` gen_require(` type iceauth_home_t; ') # Read .Iceauthority file allow $1 iceauth_home_t:file read_file_perms; ') ######################################## ## ## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_inherited_user_fonts',` gen_require(` type user_fonts_t; type user_fonts_config_t; ') allow $1 user_fonts_t:file rw_inherited_file_perms; allow $1 user_fonts_t:file read_lnk_file_perms; allow $1 user_fonts_config_t:file rw_inherited_file_perms; ') ######################################## ## ## Search XDM var lib dirs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_search_xdm_lib',` gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:dir search_dir_perms; ') ######################################## ## ## Make an X executable an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`xserver_entry_type',` gen_require(` type xserver_exec_t; ') domain_entry_file($1, xserver_exec_t) ') ######################################## ## ## Execute xsever in the xserver domain, and ## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the xserver domain. ## ## # interface(`xserver_run',` gen_require(` type xserver_t; ') xserver_domtrans($1) role $2 types xserver_t; ') ######################################## ## ## Execute xsever in the xserver domain, and ## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the xserver domain. ## ## # interface(`xserver_run_xauth',` gen_require(` type xauth_t; ') xserver_domtrans_xauth($1) role $2 types xauth_t; ') ######################################## ## ## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## ## # interface(`xserver_manage_home_fonts',` gen_require(` type user_fonts_t; type user_fonts_config_t; ') manage_dirs_pattern($1, user_fonts_t, user_fonts_t) manage_files_pattern($1, user_fonts_t, user_fonts_t) manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ')