rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
7b61fe506d
selinux-policy/policy/modules/services/xserver.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

484 lines
13 KiB
Plaintext
Raw Blame History

policy_module(xserver,1.4.2)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allows clients to write to the X server shared
## memory segments.
## </p>
## </desc>
gen_tunable(allow_write_xshm,false)
')
## <desc>
## <p>
## Allow xdm logins as sysadm
## </p>
## </desc>
gen_tunable(xdm_sysadm_login,false)
attribute fonts_type;
attribute fonts_cache_type;
attribute fonts_config_type;
attribute xauth_home_type;
type iceauth_exec_t;
corecmd_executable_file(iceauth_exec_t)
type xauth_exec_t;
corecmd_executable_file(xauth_exec_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
files_type(xconsole_device_t)
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t,xdm_exec_t)
init_daemon_domain(xdm_t,xdm_exec_t)
type xdm_lock_t;
files_lock_file(xdm_lock_t)
type xdm_rw_etc_t;
files_type(xdm_rw_etc_t)
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
# Type for the executable used to start the X server, e.g. Xwrapper.
type xserver_exec_t;
corecmd_executable_file(xserver_exec_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
# Type for the X server log file.
type xserver_log_t;
logging_log_file(xserver_log_t)
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
')
optional_policy(`
prelink_object_file(xkb_var_lib_t)
')
########################################
#
# XDM Local policy
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:netlink_route_socket r_netlink_socket_perms;
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t,xdm_lock_t,file)
# wdm has its own config dir /etc/X11/wdm
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t,xdm_rw_etc_t,xdm_rw_etc_t)
manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)
allow xdm_xserver_t xdm_t:process signal;
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
# Remove /tmp/.X11-unix/X0.
delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t)
manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
logging_log_filetrans(xdm_t,xserver_log_t,file)
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
corenet_tcp_sendrecv_all_nodes(xdm_t)
corenet_udp_sendrecv_all_nodes(xdm_t)
corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
dev_setattr_framebuffer_dev(xdm_t)
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_getattr_sound_dev(xdm_t)
dev_setattr_sound_dev(xdm_t)
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
files_list_mnt(xdm_t)
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
# Run telinit->init to shutdown.
init_telinit(xdm_t)
libs_use_ld_so(xdm_t)
libs_use_shared_libs(xdm_t)
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
ifdef(`targeted_policy',`
unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
')
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
fs_manage_nfs_symlinks(xdm_t)
fs_exec_nfs_files(xdm_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_t)
fs_manage_cifs_files(xdm_t)
fs_manage_cifs_symlinks(xdm_t)
fs_exec_cifs_files(xdm_t)
')
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
# xserver_rw_session_template(xdm,userdomain)
',`
userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
# FIXME:
# xserver_rw_session_template(xdm,unpriv_userdomain)
# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
')
optional_policy(`
alsa_domtrans(xdm_t)
')
optional_policy(`
consolekit_dbus_chat(xdm_t)
')
optional_policy(`
consoletype_exec(xdm_t)
')
optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
hostname_exec(xdm_t)
')
optional_policy(`
loadkeys_exec(xdm_t)
')
optional_policy(`
locallogin_signull(xdm_t)
')
optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
')
optional_policy(`
nscd_socket_use(xdm_t)
')
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
optional_policy(`
udev_read_db(xdm_t)
')
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
')
optional_policy(`
usermanage_read_crack_db(xdm_t)
')
optional_policy(`
xfs_stream_connect(xdm_t)
')
########################################
#
# XDM Xserver local policy
#
allow xdm_xserver_t xdm_t:process { signal getpgid };
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
manage_lnk_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
manage_sock_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
# Run xkbcomp.
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
fs_search_auto_mountpoints(xdm_xserver_t)
init_use_fds(xdm_xserver_t)
# FIXME: After per user fonts are properly working
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
xserver_use_all_users_fonts(xdm_xserver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
fs_manage_nfs_symlinks(xdm_xserver_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_xserver_t)
fs_manage_cifs_files(xdm_xserver_t)
fs_manage_cifs_symlinks(xdm_xserver_t)
')
ifdef(`targeted_policy',`
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
')
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
')
optional_policy(`
resmgr_stream_connect(xdm_t)
')
optional_policy(`
rhgb_rw_shm(xdm_xserver_t)
rhgb_rw_tmpfs_files(xdm_xserver_t)
')
ifdef(`TODO',`
# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
allow xdm_t var_lib_t:file { create write unlink };
# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;
ifdef(`rhgb.te', `
allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
allow xdm_xserver_t ramfs_t:file manage_file_perms;
allow rhgb_t xdm_xserver_t:process signal;
')
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
allow xdm_t polymember:dir { add_name remove_name write };
allow xdm_t polymember:lnk_file { create unlink };
# xdm needs access for copying .Xauthority into new home
allow xdm_t polymember:file { create getattr write };
')
#
# Wants to delete .xsession-errors file
#
allow xdm_t user_home_type:file unlink;
#
# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
Reference in New Issue View Git Blame Copy Permalink