275 lines
8.4 KiB
Plaintext
275 lines
8.4 KiB
Plaintext
#
|
|
# Macros for X server domains.
|
|
#
|
|
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# xserver_domain(domain_prefix)
|
|
#
|
|
# Define a derived domain for the X server when executed
|
|
# by a user domain (e.g. via startx). See the xdm_t domain
|
|
# in domains/program/xdm.te if using an X Display Manager.
|
|
#
|
|
# The type declarations for the executable type for this program
|
|
# and the log type are provided separately in domains/program/xserver.te.
|
|
#
|
|
# FIXME! The X server requires far too many privileges.
|
|
#
|
|
undefine(`xserver_domain')
|
|
ifdef(`xserver.te', `
|
|
|
|
define(`xserver_domain',`
|
|
# Derived domain based on the calling user domain and the program.
|
|
ifdef(`distro_redhat', `
|
|
type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
|
|
allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
|
|
ifdef(`rpm.te', `
|
|
allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
|
|
allow $1_xserver_t rpm_tmpfs_t:file { read write };
|
|
allow $1_xserver_t rpm_t:fd use;
|
|
')
|
|
|
|
', `
|
|
type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
|
|
')
|
|
|
|
# for SSP
|
|
allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
|
|
|
|
# Transition from the user domain to this domain.
|
|
ifelse($1, xdm, `
|
|
ifdef(`xdm.te', `
|
|
domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
|
|
')
|
|
', `
|
|
domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
|
|
')dnl end ifelse xdm
|
|
can_exec($1_xserver_t, xserver_exec_t)
|
|
|
|
uses_shlib($1_xserver_t)
|
|
|
|
allow $1_xserver_t texrel_shlib_t:file execmod;
|
|
|
|
can_network($1_xserver_t)
|
|
allow $1_xserver_t port_type:tcp_socket name_connect;
|
|
can_ypbind($1_xserver_t)
|
|
allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
|
|
|
|
# for access within the domain
|
|
general_domain_access($1_xserver_t)
|
|
|
|
allow $1_xserver_t self:process execmem;
|
|
# Until the X module loader is fixed.
|
|
allow $1_xserver_t self:process execheap;
|
|
|
|
allow $1_xserver_t etc_runtime_t:file { getattr read };
|
|
|
|
ifelse($1, xdm, `
|
|
# The system role is authorised for the xdm and initrc domains
|
|
role system_r types xdm_xserver_t;
|
|
|
|
allow xdm_xserver_t init_t:fd use;
|
|
|
|
dontaudit xdm_xserver_t home_dir_type:dir { read search };
|
|
|
|
# Read all global and per user fonts
|
|
read_fonts($1_xserver_t, sysadm)
|
|
read_fonts($1_xserver_t, staff)
|
|
read_fonts($1_xserver_t, user)
|
|
|
|
', `
|
|
# The user role is authorized for this domain.
|
|
role $1_r types $1_xserver_t;
|
|
|
|
allow $1_xserver_t getty_t:fd use;
|
|
allow $1_xserver_t local_login_t:fd use;
|
|
allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
|
|
|
|
allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
|
|
allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
|
|
|
|
can_unix_connect($1_t, $1_xserver_t)
|
|
|
|
# Read fonts
|
|
read_fonts($1_xserver_t, $1)
|
|
|
|
# Access the home directory.
|
|
allow $1_xserver_t home_root_t:dir search;
|
|
allow $1_xserver_t $1_home_dir_t:dir { getattr search };
|
|
|
|
ifdef(`xauth.te', `
|
|
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
|
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
|
', `
|
|
allow $1_xserver_t $1_home_t:file { getattr read };
|
|
')dnl end ifdef xauth
|
|
ifdef(`userhelper.te', `
|
|
allow $1_xserver_t userhelper_conf_t:dir search;
|
|
')dnl end ifdef userhelper
|
|
')dnl end ifelse xdm
|
|
|
|
allow $1_xserver_t self:process setsched;
|
|
|
|
allow $1_xserver_t fs_t:filesystem getattr;
|
|
|
|
# Xorg wants to check if kernel is tainted
|
|
read_sysctl($1_xserver_t)
|
|
|
|
# Use capabilities.
|
|
# allow setuid/setgid for the wrapper program to change UID
|
|
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
|
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
|
|
# admin of APM bios?
|
|
# sys_nice is so that the X server can set a negative nice value
|
|
allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
|
allow $1_xserver_t nfs_t:dir { getattr search };
|
|
|
|
# memory_device_t access is needed if not using the frame buffer
|
|
#dontaudit $1_xserver_t memory_device_t:chr_file read;
|
|
allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
|
|
# net_bind_service is needed if you want your X server to allow TCP connections
|
|
# from other hosts, EG an XDM serving a network of X terms
|
|
# if you want good security you do not want this
|
|
# not sure why some people want chown, fsetid, and sys_tty_config.
|
|
#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
|
|
dontaudit $1_xserver_t self:capability chown;
|
|
|
|
# for nscd
|
|
dontaudit $1_xserver_t var_run_t:dir search;
|
|
|
|
allow $1_xserver_t mtrr_device_t:file rw_file_perms;
|
|
allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
|
|
allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
|
|
allow $1_xserver_t device_t:lnk_file { getattr read };
|
|
allow $1_xserver_t devtty_t:chr_file rw_file_perms;
|
|
allow $1_xserver_t zero_device_t:chr_file { read write execute };
|
|
|
|
# Type for temporary files.
|
|
tmp_domain($1_xserver, `', `{ dir file sock_file }')
|
|
file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
|
|
|
|
ifelse($1, xdm, `
|
|
ifdef(`xdm.te', `
|
|
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
|
|
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
|
allow xdm_t $1_xserver_t:process signal;
|
|
can_unix_connect(xdm_t, xdm_xserver_t)
|
|
allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
|
|
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
|
|
allow xdm_xserver_t xdm_t:process signal;
|
|
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
|
|
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
|
dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
|
|
')
|
|
', `
|
|
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
|
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
|
allow $1_t $1_xserver_t:process signal;
|
|
|
|
# Allow the user domain to connect to the X server.
|
|
can_unix_connect($1_t, $1_xserver_t)
|
|
allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
|
|
allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
|
|
ifdef(`xdm.te', `
|
|
allow $1_t xdm_tmp_t:sock_file unlink;
|
|
allow $1_xserver_t xdm_var_run_t:dir search;
|
|
')
|
|
|
|
# Signal the user domain.
|
|
allow $1_xserver_t $1_t:process signal;
|
|
|
|
# Communicate via System V shared memory.
|
|
allow $1_xserver_t $1_t:shm rw_shm_perms;
|
|
allow $1_t $1_xserver_t:shm rw_shm_perms;
|
|
allow $1_xserver_t initrc_t:shm rw_shm_perms;
|
|
|
|
')dnl end ifelse xdm
|
|
|
|
# Create files in /var/log with the xserver_log_t type.
|
|
allow $1_xserver_t var_t:dir search;
|
|
file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
|
|
allow $1_xserver_t xserver_log_t:dir r_dir_perms;
|
|
|
|
# Access AGP device.
|
|
allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
|
|
|
|
# for other device nodes such as the NVidia binary-only driver
|
|
allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
|
|
|
|
# Access /proc/mtrr
|
|
allow $1_xserver_t proc_t:file rw_file_perms;
|
|
allow $1_xserver_t proc_t:lnk_file { getattr read };
|
|
|
|
# Access /proc/sys/dev
|
|
allow $1_xserver_t sysctl_dev_t:dir search;
|
|
allow $1_xserver_t sysctl_dev_t:file { getattr read };
|
|
# Access /proc/bus/pci
|
|
allow $1_xserver_t proc_t:dir r_dir_perms;
|
|
|
|
# Create and access /dev/dri devices.
|
|
allow $1_xserver_t device_t:dir { create setattr };
|
|
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
|
|
# brought on by rhgb
|
|
allow $1_xserver_t mnt_t:dir search;
|
|
|
|
allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
|
|
|
|
# Run helper programs in $1_xserver_t.
|
|
allow $1_xserver_t { bin_t sbin_t }:dir search;
|
|
allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
|
|
allow $1_xserver_t bin_t:lnk_file read;
|
|
can_exec($1_xserver_t, { bin_t shell_exec_t })
|
|
|
|
# Connect to xfs.
|
|
ifdef(`xfs.te', `
|
|
can_unix_connect($1_xserver_t, xfs_t)
|
|
allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
|
|
allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
|
|
|
|
# Bind to the X server socket in /tmp.
|
|
allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
|
|
')
|
|
|
|
read_locale($1_xserver_t)
|
|
|
|
# Type for tmpfs/shm files.
|
|
tmpfs_domain($1_xserver)
|
|
ifelse($1, xdm, `
|
|
ifdef(`xdm.te', `
|
|
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
|
|
allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
|
|
')
|
|
', `
|
|
allow $1_xserver_t $1_t:shm rw_shm_perms;
|
|
rw_dir_file($1_xserver_t, $1_tmpfs_t)
|
|
')dnl end ifelse xdm
|
|
|
|
|
|
r_dir_file($1_xserver_t,sysfs_t)
|
|
|
|
# Use the mouse.
|
|
allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
|
|
# Allow xserver to read events - the synaptics touchpad
|
|
# driver reads raw events
|
|
allow $1_xserver_t event_device_t:chr_file rw_file_perms;
|
|
ifdef(`pamconsole.te', `
|
|
allow $1_xserver_t pam_var_console_t:dir search;
|
|
')
|
|
dontaudit $1_xserver_t selinux_config_t:dir search;
|
|
|
|
allow $1_xserver_t var_lib_t:dir search;
|
|
rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
|
|
|
|
')dnl end macro definition
|
|
|
|
', `
|
|
|
|
define(`xserver_domain',`')
|
|
|
|
')
|
|
|