selinux-refpolicy/targeted/macros/program/x_client_macros.te
2005-10-21 18:05:21 +00:00

97 lines
2.1 KiB
Plaintext

#
# Macros for X client programs
#
#
# Author: Russell Coker <russell@coker.com.au>
# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
# and Timothy Fraser
#
# Allows clients to write to the X server's shm
bool allow_write_xshm false;
define(`xsession_domain', `
# Connect to xserver
can_unix_connect($1_t, $2_xserver_t)
# Read /tmp/.X0-lock
allow $1_t $2_xserver_tmp_t:file { getattr read };
# Signal Xserver
allow $1_t $2_xserver_t:process signal;
# Xserver read/write client shm
allow $2_xserver_t $1_t:fd use;
allow $2_xserver_t $1_t:shm rw_shm_perms;
allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
# Client read xserver shm
allow $1_t $2_xserver_t:fd use;
allow $1_t $2_xserver_t:shm r_shm_perms;
allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
# Client write xserver shm
if (allow_write_xshm) {
allow $1_t $2_xserver_t:shm rw_shm_perms;
allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
}
')
#
# x_client_domain(client, role)
#
# Defines common X access rules for the client domain
#
define(`x_client_domain',`
# Create socket to communicate with X server
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
ifdef(`xauth.te',`
allow $1_t home_root_t:dir { search getattr };
allow $1_t $2_home_dir_t:dir { search getattr };
allow $1_t $2_xauth_home_t:file { getattr read };
')
# for .xsession-errors
dontaudit $1_t $2_home_t:file write;
# for X over a ssh tunnel
ifdef(`ssh.te', `
can_tcp_connect($1_t, sshd_t)
')
# Use a separate type for tmpfs/shm pseudo files.
tmpfs_domain($1)
allow $1_t self:shm create_shm_perms;
# allow X client to read all font files
read_fonts($1_t, $2)
# Allow connections to X server.
ifdef(`xserver.te', `
allow $1_t tmp_t:dir search;
ifdef(`xdm.te', `
xsession_domain($1, xdm)
# for when /tmp/.X11-unix is created by the system
can_pipe_xdm($1_t)
allow $1_t xdm_tmp_t:dir search;
allow $1_t xdm_tmp_t:sock_file { read write };
dontaudit $1_t xdm_t:tcp_socket { read write };
')
ifdef(`startx.te', `
xsession_domain($1, $2)
')dnl end startx
')dnl end xserver
')dnl end x_client macro