policy_module(xdm,1.1.1) ######################################## # # Declarations # type xdm_t; # real declaration moved to mls until # range_transition works in loadable modules gen_require(` type xdm_exec_t; ') init_domain(xdm_t,xdm_exec_t) init_daemon_domain(xdm_t,xdm_exec_t) type xsession_exec_t; files_type(xsession_exec_t) # temp: typeattribute xsession_exec_t entry_type; type xserver_log_t; files_type(xserver_log_t) type xdm_xserver_tmp_t; files_type(xdm_xserver_tmp_t) type xdm_lock_t; files_lock_file(xdm_lock_t) type xdm_rw_etc_t; files_type(xdm_rw_etc_t) type xdm_var_run_t; files_type(xdm_var_run_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) type xdm_tmp_t; files_tmp_file(xdm_tmp_t) type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) ######################################## # # Local policy # allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; allow xdm_t self:process { setexec setpgid setsched setrlimit }; allow xdm_t self:fifo_file rw_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow xdm_t self:unix_dgram_socket create_socket_perms; kernel_read_system_state(xdm_t) kernel_read_kernel_sysctl(xdm_t) dev_read_rand(xdm_t) dev_read_urand(xdm_t) selinux_get_fs_mount(xdm_t) selinux_validate_context(xdm_t) selinux_compute_access_vector(xdm_t) selinux_compute_create_context(xdm_t) selinux_compute_relabel_context(xdm_t) selinux_compute_user_contexts(xdm_t) files_read_etc_runtime_files(xdm_t) ifdef(`targeted_policy',` allow xdm_t self:process execmem; unconfined_domain_template(xdm_t) unconfined_domtrans(xdm_t) ',` allow xdm_t xdm_lock_t:file create_file_perms; files_filetrans_lock(xdm_t,xdm_lock_t) allow xdm_t xdm_tmp_t:dir create_dir_perms; allow xdm_t xdm_tmp_t:file create_file_perms; allow xdm_t xdm_tmp_t:file create_file_perms; files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file }) allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow xdm_t xdm_var_lib_t:file create_file_perms; allow xdm_t xdm_var_lib_t:dir create_dir_perms; files_filetrans_var_lib(xdm_t,xdm_var_lib_t) ') optional_policy(`locallogin',` locallogin_signull(xdm_t) ') optional_policy(`userhelper',` userhelper_dontaudit_search_config(xdm_t) ') ifdef(`TODO',` # cjp: TODO: integrate strict policy: daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') allow xdm_t xdm_var_run_t:dir setattr; # for xdmctl allow xdm_t xdm_var_run_t:fifo_file create_file_perms; allow initrc_t xdm_var_run_t:fifo_file unlink; file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; allow xdm_xserver_t xdm_var_run_t:file { getattr read }; allow xdm_t default_context_t:dir search; allow xdm_t default_context_t:{ file lnk_file } { read getattr }; can_network(xdm_t) allow xdm_t port_type:tcp_socket name_connect; allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; allow xdm_t xdm_xserver_t:process signal; can_unix_connect(xdm_t, xdm_xserver_t) allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; allow xdm_xserver_t xdm_t:process signal; # for reboot allow xdm_t initctl_t:fifo_file write; # init script wants to check if it needs to update windowmanagerlist allow initrc_t xdm_rw_etc_t:file { getattr read }; ifdef(`distro_suse', ` # set permissions on /tmp/.X11-unix allow initrc_t xdm_tmp_t:dir setattr; ') # Transition to user domains for user sessions. domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; allow unpriv_userdomain xdm_xserver_t:fd use; allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; allow xdm_xserver_t unpriv_userdomain:fd use; # Do not audit user access to the X log files due to file handle inheritance dontaudit unpriv_userdomain xserver_log_t:file { write append }; # gnome-session creates socket under /tmp/.ICE-unix/ allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; allow unpriv_userdomain xdm_tmp_t:sock_file create; # Allow xdm logins as sysadm_r:sysadm_t bool xdm_sysadm_login false; if (xdm_sysadm_login) { domain_trans(xdm_t, xsession_exec_t, sysadm_t) allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; allow sysadm_t xdm_xserver_t:shm r_shm_perms; allow sysadm_t xdm_xserver_t:fd use; allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; allow xdm_xserver_t sysadm_t:shm rw_shm_perms; allow xdm_xserver_t sysadm_t:fd use; } # Label pid and temporary files with derived types. rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; # Run helper programs. allow xdm_t etc_t:file { getattr read }; allow xdm_t bin_t:dir { getattr search }; # lib_t is for running cpp can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) allow xdm_t { bin_t sbin_t }:lnk_file read; ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') allow xdm_t xdm_xserver_t:process sigkill; allow xdm_t xdm_xserver_tmp_t:file unlink; # Access devices. allow xdm_t device_t:dir { read search }; allow xdm_t console_device_t:chr_file setattr; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; allow xdm_t framebuf_device_t:chr_file { getattr setattr }; allow xdm_t mouse_device_t:chr_file { getattr setattr }; allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; allow xdm_t dri_device_t:chr_file rw_file_perms; allow xdm_t device_t:dir rw_dir_perms; allow xdm_t agp_device_t:chr_file rw_file_perms; allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; allow xdm_t v4l_device_t:chr_file { setattr getattr }; allow xdm_t scanner_device_t:chr_file { setattr getattr }; allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; allow xdm_t device_t:lnk_file read; can_resmgrd_connect(xdm_t) # Access xdm log files. file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) allow xdm_t xserver_log_t:dir rw_dir_perms; allow xdm_t xserver_log_t:dir setattr; # Access /var/gdm/.gdmfifo. allow xdm_t xserver_log_t:fifo_file create_file_perms; allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; # Remove /tmp/.X11-unix/X0. allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; allow xdm_t xdm_xserver_tmp_t:sock_file unlink; ifdef(`gpm.te', ` # Talk to the console mouse server. allow xdm_t gpmctl_t:sock_file { getattr setattr write }; allow xdm_t gpm_t:unix_stream_socket connectto; ') allow xdm_t sysfs_t:dir search; # Update utmp and wtmp. allow xdm_t initrc_var_run_t: file { read write lock }; allow xdm_t wtmp_t:file append; # Update lastlog. allow xdm_t lastlog_t:file rw_file_perms; # Need to further investigate these permissions and # perhaps define derived types. allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; allow xdm_t var_lib_t:file { create write unlink }; # Connect to xfs. ifdef(`xfs.te', ` allow xdm_t xfs_tmp_t:dir search; allow xdm_t xfs_tmp_t:sock_file write; can_unix_connect(xdm_t, xfs_t) ') allow xdm_t etc_t:lnk_file read; # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; allow xdm_t xdm_rw_etc_t:file create_file_perms; # Signal any user domain. allow xdm_t userdomain:process signal_perms; # Search /proc for any user domain processes. allow xdm_t userdomain:dir r_dir_perms; allow xdm_t userdomain:{ file lnk_file } r_file_perms; # Allow xdm access to the user domains allow xdm_t home_root_t:dir search; allow xdm_xserver_t home_root_t:dir search; # Do not audit denied attempts to access devices. dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; dontaudit xdm_t device_t:file_class_set rw_file_perms; dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; dontaudit xdm_t devpts_t:dir search; # Do not audit denied probes of /proc. dontaudit xdm_t domain:dir r_dir_perms; dontaudit xdm_t domain:{ file lnk_file } r_file_perms; # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... allow xdm_t usr_t:{ lnk_file file } { getattr read }; # Read fonts read_fonts(xdm_t) # Do not audit attempts to write to index files under /usr dontaudit xdm_t usr_t:file write; # Do not audit access to /root dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; # Do not audit user access to the X log files due to file handle inheritance dontaudit unpriv_userdomain xserver_log_t:file { write append }; # Do not audit attempts to check whether user root has email dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; dontaudit xdm_t mail_spool_t:file getattr; # Access sound device. allow xdm_t sound_device_t:chr_file { setattr getattr }; # Allow setting of attributes on power management devices. allow xdm_t power_device_t:chr_file { getattr setattr }; # Run the X server in a derived domain. xserver_domain(xdm) ifdef(`rhgb.te', ` allow xdm_xserver_t ramfs_t:dir rw_dir_perms; allow xdm_xserver_t ramfs_t:file create_file_perms; allow rhgb_t xdm_xserver_t:process signal; ') # Unrestricted inheritance. allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; # Run xkbcomp. allow xdm_xserver_t var_lib_t:dir search; allow xdm_xserver_t xkb_var_lib_t:lnk_file read; can_exec(xdm_xserver_t, xkb_var_lib_t) optional_policy(`prelink',` prelink_object_file(xkb_var_lib_t) ') # Insert video drivers. allow xdm_xserver_t self:capability mknod; allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) allow insmod_t xserver_log_t:file write; allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; # Read /proc/dri/.* allow xdm_xserver_t proc_t:dir { search read }; # Search /var/run. allow xdm_xserver_t var_run_t:dir search; # FIXME: After per user fonts are properly working # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) # Search home directories. allow xdm_xserver_t user_home_type:dir search; allow xdm_xserver_t user_home_type:file { getattr read }; if (use_nfs_home_dirs) { allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; can_exec(xdm_t, nfs_t) } if (use_samba_home_dirs) { allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; can_exec(xdm_t, cifs_t) } # for .dmrc allow xdm_t user_home_dir_type:dir { getattr search }; allow xdm_t user_home_type:file { getattr read }; ifdef(`support_polyinstatiation', ` # xdm_t can polyinstantiate polyinstantiater(xdm_t) # xdm needs access for linking .X11-unix to poly /tmp allow xdm_t polymember:dir { add_name remove_name write }; allow xdm_t polymember:lnk_file { create unlink }; # xdm needs access for copying .Xauthority into new home allow xdm_t polymember:file { create getattr write }; ') allow xdm_t mnt_t:dir { getattr read search }; # # Wants to delete .xsession-errors file # allow xdm_t user_home_type:file unlink; # # Should fix exec of pam_timestamp_check is not closing xdm file descriptor # ifdef(`pam.te', ` allow xdm_t pam_var_run_t:dir create_dir_perms; allow xdm_t pam_var_run_t:file create_file_perms; allow pam_t xdm_t:fifo_file { getattr ioctl write }; domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) can_exec(xdm_t, pam_exec_t) # For pam_console rw_dir_create_file(xdm_t, pam_var_console_t) ') # Pamconsole/alsa ifdef(`alsa.te', ` domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) ') dnl ifdef allow xdm_t var_log_t:file { getattr read }; allow xdm_t wtmp_t:file { getattr read }; domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) # # Poweroff wants to create the /poweroff file when run from xdm # file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) # # xdm tries to bind to biff_port_t # dontaudit xdm_t port_type:tcp_socket name_bind; # VNC v4 module in X server allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; ifdef(`crack.te', ` allow xdm_t crack_db_t:file r_file_perms; ') r_dir_file(xdm_t, selinux_config_t) # Run telinit->init to shutdown. can_exec(xdm_t, init_exec_t) allow xdm_t self:sem create_sem_perms; # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) # Supress permission check on .ICE-unix dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; ') dnl end TODO