#DESC XFS - X Font Server
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#           Russell Coker <russell@coker.com.au>
# X-Debian-Packages: xfs
#

#################################
#
# Rules for the xfs_t domain.
#
# xfs_t is the domain of the X font server.
# xfs_exec_t is the type of the xfs executable.
#
daemon_domain(xfs)

# for /tmp/.font-unix/fs7100
ifdef(`distro_debian', `
type xfs_tmp_t, file_type, sysadmfile, tmpfile;
allow xfs_t tmp_t:dir search;
file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
', `
tmp_domain(xfs, `', `{dir sock_file}')
')

allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
allow xfs_t proc_t:file { getattr read };

allow xfs_t self:process setpgid;
can_ypbind(xfs_t)

# Use capabilities.
allow xfs_t self:capability { setgid setuid };

# Bind to /tmp/.font-unix/fs-1.
allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
allow xfs_t self:unix_dgram_socket create_socket_perms;

# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
allow xfs_t fonts_t:dir search;
allow xfs_t fonts_t:file { getattr read };

# Unlink the xfs socket.
allow initrc_t xfs_tmp_t:dir rw_dir_perms;
allow initrc_t xfs_tmp_t:dir rmdir;
allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
allow initrc_t fonts_t:dir create_dir_perms;
allow initrc_t fonts_t:file create_file_perms;