102 lines
2.9 KiB
Plaintext
102 lines
2.9 KiB
Plaintext
#DESC rhgb - Red Hat Graphical Boot
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# Depends: xdm.te gnome-pty-helper.te xserver.te
|
|
|
|
daemon_base_domain(rhgb)
|
|
|
|
allow rhgb_t { bin_t sbin_t }:dir search;
|
|
allow rhgb_t bin_t:lnk_file read;
|
|
|
|
domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
|
|
domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
|
|
can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
|
|
|
|
allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow rhgb_t self:fifo_file rw_file_perms;
|
|
|
|
# for gnome-pty-helper
|
|
gph_domain(rhgb, system)
|
|
allow initrc_t rhgb_gph_t:fd use;
|
|
|
|
allow rhgb_t proc_t:file { getattr read };
|
|
|
|
allow rhgb_t devtty_t:chr_file { read write };
|
|
allow rhgb_t tty_device_t:chr_file rw_file_perms;
|
|
|
|
read_locale(rhgb_t)
|
|
allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
|
|
|
|
# for ramfs file systems
|
|
allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
|
|
allow rhgb_t ramfs_t:sock_file create_file_perms;
|
|
allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
|
|
allow insmod_t ramfs_t:file write;
|
|
allow insmod_t rhgb_t:fd use;
|
|
|
|
allow rhgb_t ramfs_t:filesystem { mount unmount };
|
|
allow rhgb_t mnt_t:dir { search mounton };
|
|
allow rhgb_t self:capability { sys_admin sys_tty_config };
|
|
dontaudit rhgb_t var_run_t:dir search;
|
|
|
|
can_network_client(rhgb_t)
|
|
can_ypbind(rhgb_t)
|
|
|
|
# for fonts
|
|
allow rhgb_t usr_t:{ file lnk_file } { getattr read };
|
|
|
|
# for running setxkbmap
|
|
r_dir_file(rhgb_t, var_lib_xkb_t)
|
|
|
|
# for localization
|
|
allow rhgb_t lib_t:file { getattr read };
|
|
|
|
allow rhgb_t initctl_t:fifo_file write;
|
|
|
|
ifdef(`hide_broken_symptoms', `
|
|
# it should not do this
|
|
dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
|
')dnl end hide_broken_symptoms
|
|
|
|
can_create_pty(rhgb)
|
|
|
|
allow rhgb_t self:shm create_shm_perms;
|
|
allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
|
|
|
|
can_unix_connect(initrc_t, rhgb_t)
|
|
tmpfs_domain(rhgb)
|
|
allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
|
|
|
|
allow rhgb_t fonts_t:dir { getattr read search };
|
|
allow rhgb_t fonts_t:file { getattr read };
|
|
|
|
# for nscd
|
|
dontaudit rhgb_t var_t:dir search;
|
|
|
|
ifdef(`hide_broken_symptoms', `
|
|
# for a bug in the X server
|
|
dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
|
|
dontaudit insmod_t serial_device:chr_file { read write };
|
|
dontaudit mount_t rhgb_gph_t:fd use;
|
|
dontaudit mount_t rhgb_t:unix_stream_socket { read write };
|
|
dontaudit mount_t ptmx_t:chr_file { read write };
|
|
')dnl end hide_broken_symptoms
|
|
|
|
ifdef(`firstboot.te', `
|
|
allow rhgb_t firstboot_rw_t:file r_file_perms;
|
|
')
|
|
allow rhgb_t tmp_t:dir search;
|
|
allow rhgb_t xdm_xserver_t:process sigkill;
|
|
allow domain rhgb_devpts_t:chr_file { read write };
|
|
ifdef(`fsadm.te', `
|
|
dontaudit fsadm_t ramfs_t:fifo_file write;
|
|
')
|
|
allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
|
|
dontaudit rhgb_t default_t:file read;
|
|
|
|
allow initrc_t ramfs_t:dir search;
|
|
allow initrc_t ramfs_t:sock_file write;
|
|
allow initrc_t rhgb_t:unix_stream_socket { read write };
|
|
|
|
allow rhgb_t default_t:file { getattr read };
|