## X Windows Server ######################################## ## ## Rules required for using the X Windows server ## and environment, for restricted users. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_restricted_role',` gen_require(` type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; ') role $1 types { xserver_t xauth_t iceauth_t }; # Xserver read/write client shm allow xserver_t $2:fd use; allow xserver_t $2:shm rw_shm_perms; allow xserver_t $2:process signal; allow xserver_t $2:shm rw_shm_perms; allow $2 user_fonts_t:dir list_dir_perms; allow $2 user_fonts_t:file read_file_perms; allow $2 user_fonts_config_t:dir list_dir_perms; allow $2 user_fonts_config_t:file read_file_perms; manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) files_search_tmp($2) # Communicate via System V shared memory. allow $2 xserver_t:shm r_shm_perms; allow $2 xserver_tmpfs_t:file read_file_perms; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) domtrans_pattern($2, iceauth_exec_t, iceauth_t) allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) allow $2 xauth_t:process signal; # allow ps to show xauth ps_process_pattern($2, xauth_t) allow $2 xserver_t:process signal; allow $2 xauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; allow $2 xdm_tmp_t:dir search; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; # Client read xserver shm allow $2 xserver_t:fd use; allow $2 xserver_tmpfs_t:file read_file_perms; # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file { getattr read }; dev_rw_xserver_misc($2) dev_map_xserver_misc($2) dev_rw_power_management($2) dev_read_input($2) dev_read_misc($2) dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) dev_dontaudit_rw_dri($2) # GNOME checks for usb and other devices: dev_rw_usbfs($2) miscfiles_read_fonts($2) xserver_common_x_domain_template(user, $2) xserver_domtrans($2) xserver_unconfined($2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) # certain apps want to read xdm.pid file xserver_read_xdm_pid($2) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) # for the .xsession-errors log file xserver_user_home_dir_filetrans_user_xsession_log($2) xserver_manage_xsession_log($2) # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') ') ######################################## ## ## Rules required for using the X Windows server ## and environment. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type mesa_shader_cache_t; ') xserver_restricted_role($1, $2) # Communicate via System V shared memory. allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; allow $2 iceauth_home_t:file { relabelfrom relabelto }; allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) allow $2 mesa_shader_cache_t:file map; relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority") xserver_read_xkb_libs($2) optional_policy(` xdg_manage_all_cache($2) xdg_relabel_all_cache($2) xdg_manage_all_config($2) xdg_relabel_all_config($2) xdg_manage_all_data($2) xdg_relabel_all_data($2) xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") xdg_generic_user_home_dir_filetrans_data($2, dir, ".local") xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents") xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads") xdg_generic_user_home_dir_filetrans_music($2, dir, "Music") xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures") xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos") xdg_manage_documents($2) xdg_relabel_documents($2) xdg_manage_downloads($2) xdg_relabel_downloads($2) xdg_manage_music($2) xdg_relabel_music($2) xdg_manage_pictures($2) xdg_relabel_pictures($2) xdg_manage_videos($2) xdg_relabel_videos($2) xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") ') ') ####################################### ## ## Create sessions on the X server, with read-only ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_ro_session',` gen_require(` type xserver_t, xserver_tmp_t, xserver_tmpfs_t; ') # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; allow xserver_t $2:file { rw_file_perms map }; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; allow $1 xserver_t:process signal; # Read /tmp/.X0-lock allow $1 xserver_tmp_t:file { getattr read }; # Client read xserver shm allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; allow $1 xserver_tmpfs_t:file read_file_perms; allow $1 $2:file map; ') ####################################### ## ## Create sessions on the X server, with read and write ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_rw_session',` gen_require(` type xserver_t, xserver_tmpfs_t; ') xserver_ro_session($1,$2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') ####################################### ## ## Create non-drawing client sessions on an X server. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_non_drawing_client',` gen_require(` class x_drawable { getattr get_property }; class x_extension { query use }; class x_gc { create setattr }; class x_property read; type xserver_t, xdm_var_run_t; type xextension_t, xproperty_t, root_xdrawable_t; ') allow $1 self:x_gc { create setattr }; allow $1 xdm_var_run_t:dir search; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; allow $1 root_xdrawable_t:x_drawable { getattr get_property }; allow $1 xproperty_t:x_property read; ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## # template(`xserver_common_x_domain_template',` gen_require(` type root_xdrawable_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; attribute x_domain; attribute xdrawable_type, xcolormap_type; attribute input_xevent_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; ') ############################## # # Local Policy # # Type attributes typeattribute $2 x_domain; typeattribute $2 xdrawable_type, xcolormap_type; # X Properties # disable property transitions for the time being. # type_transition $2 xproperty_t:x_property $1_xproperty_t; # X Windows # new windows have the domain type type_transition $2 root_xdrawable_t:x_drawable $2; # X Input # distinguish input events type_transition $2 input_xevent_t:x_event $1_input_xevent_t; # can send own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; # can receive own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; # can receive default events allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; ') ####################################### ## ## Template for creating the set of types used ## in an X windows domain. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## # template(`xserver_object_types_template',` gen_require(` attribute xproperty_type, input_xevent_type, xevent_type; ') ############################## # # Declarations # # Types for properties type $1_xproperty_t, xproperty_type; ubac_constrained($1_xproperty_t) # Types for events type $1_input_xevent_t, input_xevent_type, xevent_type; ubac_constrained($1_input_xevent_t) ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # template(`xserver_user_x_domain_template',` gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $2 self:shm create_shm_perms; allow $2 self:unix_dgram_socket create_socket_perms; allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($2) miscfiles_read_fonts($2) userdom_search_user_home_dirs($2) # for .xsession-errors xserver_rw_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) # X object manager xserver_object_types_template($1) xserver_common_x_domain_template($1,$2) # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') ') ######################################## ## ## Read user fonts, user font configuration, ## and manage the user font cache. ## ## ##

## Read user fonts, user font configuration, ## and manage the user font cache. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## # interface(`xserver_use_user_fonts',` gen_require(` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file { map read_file_perms }; # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) allow $1 user_fonts_cache_t:file { map read_file_perms }; # Read per user font config allow $1 user_fonts_config_t:dir list_dir_perms; allow $1 user_fonts_config_t:file read_file_perms; userdom_search_user_home_dirs($1) xdg_search_cache_dirs($1) ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans_xauth',` gen_require(` type xauth_t, xauth_exec_t; ') domtrans_pattern($1, xauth_exec_t, xauth_t) ') ######################################## ## ## Create a Xauthority file in the user home directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` type xauth_home_t; ') userdom_user_home_dir_filetrans($1, xauth_home_t, file, $2) ') ####################################### ## ## Create a ICEauthority file in ## the user home directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`xserver_user_home_dir_filetrans_user_iceauth',` gen_require(` type iceauth_home_t; ') userdom_user_home_dir_filetrans($1, iceauth_home_t, file, $2) ') ######################################## ## ## Create a .xsession-errors log ## file in the user home directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_user_home_dir_filetrans_user_xsession_log',` gen_require(` type xsession_log_t; ') userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") ') ######################################## ## ## Read all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_xauth',` gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Read all users .dmrc. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_dmrc',` gen_require(` type dmrc_home_t; ') allow $1 dmrc_home_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Read all users .ICEauthority. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_iceauth',` gen_require(` type iceauth_home_t; ') allow $1 iceauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Set the attributes of the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_console_pipes',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file setattr; ') ######################################## ## ## Read and write the X windows console named pipe. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_console',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Create the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_create_console_pipes',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file create; ') ######################################## ## ## relabel the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_relabel_console_pipes',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; ') ######################################## ## ## Use file descriptors for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_xdm_fds',` gen_require(` type xdm_t; ') allow $1 xdm_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit ## XDM file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_use_xdm_fds',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fd use; ') ######################################## ## ## Allow domain to send sigchld to xdm_t ## ## ## ## Domain allowed access. ## ## # interface(`xserver_sigchld_xdm',` gen_require(` type xdm_t; ') allow $1 xdm_t:process sigchld; ') ######################################## ## ## Read and write XDM unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_pipes',` gen_require(` type xdm_t; ') allow $1 xdm_t:fifo_file { getattr read write }; ') ######################################## ## ## Do not audit attempts to read and write ## XDM unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_xdm_pipes',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Send and receive messages from ## xdm over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dbus_chat_xdm',` gen_require(` type xdm_t; class dbus send_msg; ') allow $1 xdm_t:dbus send_msg; allow xdm_t $1:dbus send_msg; ') ######################################## ## ## Read xdm process state files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_state',` gen_require(` type xdm_t; ') kernel_search_proc($1) allow $1 xdm_t:dir list_dir_perms; allow $1 xdm_t:file read_file_perms; allow $1 xdm_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Set the priority of the X Display ## Manager (XDM). ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setsched_xdm',` gen_require(` type xdm_t; ') allow $1 xdm_t:process setsched; ') ######################################## ## ## Create, read, write, and delete ## xdm_spool files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xdm_spool_files',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Connect to XDM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) ') ######################################## ## ## Read xdm-writable configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_rw_config',` gen_require(` type xdm_rw_etc_t; ') files_search_etc($1) allow $1 xdm_rw_etc_t:file read_file_perms; ') ######################################## ## ## Set the attributes of XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_xdm_tmp_dirs',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir setattr; ') ######################################## ## ## Create a named socket in a XDM ## temporary directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_create_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Delete a named socket in a XDM ## temporary directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_delete_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Read XDM pid files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_pid',` gen_require(` type xdm_var_run_t; ') files_search_pids($1) allow $1 xdm_var_run_t:file read_file_perms; ') ######################################## ## ## Read XDM var lib files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_lib_files',` gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:file read_file_perms; ') ######################################## ## ## Make an X session script an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`xserver_xsession_entry_type',` gen_require(` type xsession_exec_t; ') domain_entry_file($1, xsession_exec_t) ') ######################################## ## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute an Xsession in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # interface(`xserver_xsession_spec_domtrans',` gen_require(` type xsession_exec_t; ') domain_transition_pattern($1, xsession_exec_t, $2) ') ######################################## ## ## Write to inherited xsession log ## files such as .xsession-errors. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_write_inherited_xsession_log',` gen_require(` type xsession_log_t; ') allow $1 xsession_log_t:file write_inherited_file_perms; ') ######################################## ## ## Read and write xsession log ## files such as .xsession-errors. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xsession_log',` gen_require(` type xsession_log_t; ') allow $1 xsession_log_t:file rw_file_perms; ') ######################################## ## ## Manage xsession log files such ## as .xsession-errors. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xsession_log',` gen_require(` type xsession_log_t; ') allow $1 xsession_log_t:file manage_file_perms; ') ######################################## ## ## Write to inherited X server log ## files like /var/log/lightdm/lightdm.log ## ## ## ## Domain allowed access. ## ## # interface(`xserver_write_inherited_log',` gen_require(` type xserver_log_t; ') allow $1 xserver_log_t:file write_inherited_file_perms; ') ######################################## ## ## Get the attributes of X server logs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_getattr_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file getattr; ') ######################################## ## ## Do not audit attempts to write the X server ## log files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_write_log',` gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:file { append ioctl write }; ') ######################################## ## ## Delete X server log files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_delete_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:dir list_dir_perms; delete_files_pattern($1, xserver_log_t, xserver_log_t) delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) ') ######################################## ## ## Read X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xkb_libs',` gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ') ######################################## ## ## Create xdm temporary directories. ## ## ## ## Domain to allow access. ## ## # interface(`xserver_create_xdm_tmp_dirs',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir create; ') ######################################## ## ## Read xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') files_search_tmp($1) read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Do not audit attempts to read xdm temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') dontaudit $1 xdm_tmp_t:dir search_dir_perms; dontaudit $1 xdm_tmp_t:file read_file_perms; ') ######################################## ## ## Read write xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xdm_tmp_files',` gen_require(` type xdm_tmp_t; ') manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` gen_require(` type xdm_tmp_t; ') dontaudit $1 xdm_tmp_t:sock_file getattr; ') ######################################## ## ## list xdm_tmp_t directories ## ## ## ## Domain to allow ## ## # interface(`xserver_list_xdm_tmp',` gen_require(` type xdm_tmp_t; ') allow $1 xdm_tmp_t:dir list_dir_perms; ') ######################################## ## ## Execute the X server in the X server domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans',` gen_require(` type xserver_t, xserver_exec_t; ') allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) ') ######################################## ## ## Signal X servers ## ## ## ## Domain allowed access. ## ## # interface(`xserver_signal',` gen_require(` type xserver_t; ') allow $1 xserver_t:process signal; ') ######################################## ## ## Kill X servers ## ## ## ## Domain allowed access. ## ## # interface(`xserver_kill',` gen_require(` type xserver_t; ') allow $1 xserver_t:process sigkill; ') ######################################## ## ## Allow reading xserver_t files to get cgroup and sessionid ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_state',` gen_require(` type xserver_t; ') allow $1 xserver_t:dir search; allow $1 xserver_t:file read_file_perms; ') ######################################## ## ## Read and write X server Sys V Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_shm',` gen_require(` type xserver_t; ') allow $1 xserver_t:shm rw_shm_perms; ') ######################################## ## ## Do not audit attempts to read and write to ## X server sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_tcp_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:tcp_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and write X server ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_stream_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:unix_stream_socket { read write }; ') ######################################## ## ## Connect to the X server over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect',` gen_require(` type xserver_t, xserver_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ') ######################################## ## ## Read X server temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_tmp_files',` gen_require(` type xserver_tmp_t; ') allow $1 xserver_tmp_t:file read_file_perms; files_search_tmp($1) ') ######################################## ## ## talk to xserver_t by dbus ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dbus_chat',` gen_require(` type xserver_t; ') allow $1 xserver_t:dbus send_msg; allow xserver_t $1:dbus send_msg; ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the ## virtual core keyboard and virtual core pointer devices. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_core_devices',` gen_require(` type xserver_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; ') allow $1 xserver_t:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_unconfined',` gen_require(` attribute x_domain; attribute xserver_unconfined_type; ') typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') ######################################## ## ## Manage keys for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_keys',` gen_require(` type xdm_t; ') allow $1 xdm_t:key { read write setattr }; ') ######################################## ## ## Manage keys for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_link_xdm_keys',` gen_require(` type xdm_t; ') allow $1 xdm_t:key link; ') ######################################## ## ## Read and write the mesa shader cache. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_mesa_shader_cache',` gen_require(` type mesa_shader_cache_t; ') rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) allow $1 mesa_shader_cache_t:file map; xdg_search_cache_dirs($1) ')