selinux-policy/strict/domains/program/rhgb.te
2005-04-29 17:45:15 +00:00

102 lines
2.9 KiB
Plaintext

#DESC rhgb - Red Hat Graphical Boot
#
# Author: Russell Coker <russell@coker.com.au>
# Depends: xdm.te gnome-pty-helper.te xserver.te
daemon_base_domain(rhgb)
allow rhgb_t { bin_t sbin_t }:dir search;
allow rhgb_t bin_t:lnk_file read;
domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
allow rhgb_t self:fifo_file rw_file_perms;
# for gnome-pty-helper
gph_domain(rhgb, system)
allow initrc_t rhgb_gph_t:fd use;
allow rhgb_t proc_t:file { getattr read };
allow rhgb_t devtty_t:chr_file { read write };
allow rhgb_t tty_device_t:chr_file rw_file_perms;
read_locale(rhgb_t)
allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
# for ramfs file systems
allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
allow rhgb_t ramfs_t:sock_file create_file_perms;
allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
allow insmod_t ramfs_t:file write;
allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount };
allow rhgb_t mnt_t:dir { search mounton };
allow rhgb_t self:capability { sys_admin sys_tty_config };
dontaudit rhgb_t var_run_t:dir search;
can_network_client(rhgb_t)
can_ypbind(rhgb_t)
# for fonts
allow rhgb_t usr_t:{ file lnk_file } { getattr read };
# for running setxkbmap
r_dir_file(rhgb_t, var_lib_xkb_t)
# for localization
allow rhgb_t lib_t:file { getattr read };
allow rhgb_t initctl_t:fifo_file write;
ifdef(`hide_broken_symptoms', `
# it should not do this
dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
')dnl end hide_broken_symptoms
can_create_pty(rhgb)
allow rhgb_t self:shm create_shm_perms;
allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
can_unix_connect(initrc_t, rhgb_t)
tmpfs_domain(rhgb)
allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
allow rhgb_t fonts_t:dir { getattr read search };
allow rhgb_t fonts_t:file { getattr read };
# for nscd
dontaudit rhgb_t var_t:dir search;
ifdef(`hide_broken_symptoms', `
# for a bug in the X server
dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
dontaudit insmod_t serial_device:chr_file { read write };
dontaudit mount_t rhgb_gph_t:fd use;
dontaudit mount_t rhgb_t:unix_stream_socket { read write };
dontaudit mount_t ptmx_t:chr_file { read write };
')dnl end hide_broken_symptoms
ifdef(`firstboot.te', `
allow rhgb_t firstboot_rw_t:file r_file_perms;
')
allow rhgb_t tmp_t:dir search;
allow rhgb_t xdm_xserver_t:process sigkill;
allow domain rhgb_devpts_t:chr_file { read write };
ifdef(`fsadm.te', `
dontaudit fsadm_t ramfs_t:fifo_file write;
')
allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
dontaudit rhgb_t default_t:file read;
allow initrc_t ramfs_t:dir search;
allow initrc_t ramfs_t:sock_file write;
allow initrc_t rhgb_t:unix_stream_socket { read write };
allow rhgb_t default_t:file { getattr read };