352249fc05
Add KWin to list of window managers and allow it to mmap wm_tmpfs_t files to avoid a crash. Related audit event: type=AVC msg=audit(04/24/2020 15:39:25.287:679) : avc: denied { map } for pid=1309 comm=kwin_x11 path=/memfd:JSVMStack:/lib/x86_64-linux-gnu/libQt5Qml.so.5 (deleted) dev="tmpfs" ino=45261 scontext=user_u:user_r:user_wm_t:s0 tcontext=user_u:object_r:wm_tmpfs_t:s0 tclass=file permissive=0 Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
154 lines
3.4 KiB
Plaintext
154 lines
3.4 KiB
Plaintext
policy_module(wm, 1.9.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute wm_domain;
|
|
|
|
type wm_exec_t;
|
|
corecmd_executable_file(wm_exec_t)
|
|
|
|
type wm_tmp_t;
|
|
userdom_user_tmp_file(wm_tmp_t)
|
|
|
|
type wm_tmpfs_t;
|
|
userdom_user_tmpfs_file(wm_tmpfs_t)
|
|
|
|
optional_policy(`
|
|
pulseaudio_tmpfs_content(wm_tmpfs_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Common wm domain local policy
|
|
#
|
|
|
|
allow wm_domain self:fifo_file rw_fifo_file_perms;
|
|
allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
|
|
allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow wm_domain self:shm create_shm_perms;
|
|
allow wm_domain self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
|
|
manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
|
|
manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
|
|
files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
|
|
|
|
manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
|
|
manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
|
|
mmap_read_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
|
|
manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
|
|
fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
|
|
|
|
can_exec(wm_domain, wm_exec_t)
|
|
|
|
kernel_read_system_state(wm_domain)
|
|
|
|
corecmd_getattr_all_executables(wm_domain)
|
|
|
|
dev_read_rand(wm_domain)
|
|
dev_read_sound(wm_domain)
|
|
dev_read_sysfs(wm_domain)
|
|
dev_read_urand(wm_domain)
|
|
dev_rw_dri(wm_domain)
|
|
dev_rw_wireless(wm_domain)
|
|
dev_write_sound(wm_domain)
|
|
|
|
files_read_etc_runtime_files(wm_domain)
|
|
files_map_usr_files(wm_domain)
|
|
files_read_usr_files(wm_domain)
|
|
|
|
fs_getattr_all_fs(wm_domain)
|
|
|
|
kernel_read_fs_sysctls(wm_domain)
|
|
kernel_read_proc_symlinks(wm_domain)
|
|
kernel_read_sysctl(wm_domain)
|
|
|
|
locallogin_dontaudit_use_fds(wm_domain)
|
|
|
|
miscfiles_read_fonts(wm_domain)
|
|
miscfiles_read_generic_certs(wm_domain)
|
|
miscfiles_read_localization(wm_domain)
|
|
|
|
selinux_get_enforce_mode(wm_domain)
|
|
|
|
seutil_read_config(wm_domain)
|
|
|
|
udev_read_pid_files(wm_domain)
|
|
|
|
# the following is needed by gnome-shell
|
|
userdom_exec_user_home_content_files(wm_domain)
|
|
|
|
userdom_manage_user_tmp_sockets(wm_domain)
|
|
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
|
|
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
|
|
|
|
# to print error messages
|
|
userdom_use_inherited_user_terminals(wm_domain)
|
|
|
|
userdom_manage_user_home_content_dirs(wm_domain)
|
|
userdom_manage_user_home_content_files(wm_domain)
|
|
|
|
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
|
|
|
|
wm_dontaudit_exec_tmp_files(wm_domain)
|
|
wm_dontaudit_exec_tmpfs_files(wm_domain)
|
|
|
|
optional_policy(`
|
|
accountsd_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
bluetooth_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
consolekit_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
devicekit_dbus_chat_power(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
evolution_dbus_chat(wm_domain)
|
|
evolution_alarm_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
games_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
# gnome-shell
|
|
mount_exec(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
mozilla_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(wm_domain)
|
|
networkmanager_read_etc_files(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
policykit_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
telepathy_mission_control_dbus_chat(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
userhelper_exec_consolehelper(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_dbus_chat_xdm(wm_domain)
|
|
xserver_rw_xsession_log(wm_domain)
|
|
')
|