policy_module(wm, 1.9.2) ######################################## # # Declarations # attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) type wm_tmp_t; userdom_user_tmp_file(wm_tmp_t) type wm_tmpfs_t; userdom_user_tmpfs_file(wm_tmpfs_t) optional_policy(` pulseaudio_tmpfs_content(wm_tmpfs_t) ') ######################################## # # Common wm domain local policy # allow wm_domain self:fifo_file rw_fifo_file_perms; allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) mmap_read_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) can_exec(wm_domain, wm_exec_t) kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) files_read_etc_runtime_files(wm_domain) files_map_usr_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) kernel_read_fs_sysctls(wm_domain) kernel_read_proc_symlinks(wm_domain) kernel_read_sysctl(wm_domain) locallogin_dontaudit_use_fds(wm_domain) miscfiles_read_fonts(wm_domain) miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) selinux_get_enforce_mode(wm_domain) seutil_read_config(wm_domain) udev_read_pid_files(wm_domain) # the following is needed by gnome-shell userdom_exec_user_home_content_files(wm_domain) userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) # to print error messages userdom_use_inherited_user_terminals(wm_domain) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) wm_dontaudit_exec_tmp_files(wm_domain) wm_dontaudit_exec_tmpfs_files(wm_domain) optional_policy(` accountsd_dbus_chat(wm_domain) ') optional_policy(` bluetooth_dbus_chat(wm_domain) ') optional_policy(` consolekit_dbus_chat(wm_domain) ') optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` evolution_dbus_chat(wm_domain) evolution_alarm_dbus_chat(wm_domain) ') optional_policy(` games_dbus_chat(wm_domain) ') optional_policy(` # gnome-shell mount_exec(wm_domain) ') optional_policy(` mozilla_dbus_chat(wm_domain) ') optional_policy(` networkmanager_dbus_chat(wm_domain) networkmanager_read_etc_files(wm_domain) ') optional_policy(` policykit_dbus_chat(wm_domain) ') optional_policy(` telepathy_mission_control_dbus_chat(wm_domain) ') optional_policy(` userhelper_exec_consolehelper(wm_domain) ') optional_policy(` xserver_dbus_chat_xdm(wm_domain) xserver_rw_xsession_log(wm_domain) ')