selinux-refpolicy/targeted/macros/program/xserver_macros.te
2005-10-21 18:05:21 +00:00

275 lines
8.4 KiB
Plaintext

#
# Macros for X server domains.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
#################################
#
# xserver_domain(domain_prefix)
#
# Define a derived domain for the X server when executed
# by a user domain (e.g. via startx). See the xdm_t domain
# in domains/program/xdm.te if using an X Display Manager.
#
# The type declarations for the executable type for this program
# and the log type are provided separately in domains/program/xserver.te.
#
# FIXME! The X server requires far too many privileges.
#
undefine(`xserver_domain')
ifdef(`xserver.te', `
define(`xserver_domain',`
# Derived domain based on the calling user domain and the program.
ifdef(`distro_redhat', `
type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
ifdef(`rpm.te', `
allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
allow $1_xserver_t rpm_tmpfs_t:file { read write };
allow $1_xserver_t rpm_t:fd use;
')
', `
type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
')
# for SSP
allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
# Transition from the user domain to this domain.
ifelse($1, xdm, `
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
')
', `
domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
')dnl end ifelse xdm
can_exec($1_xserver_t, xserver_exec_t)
uses_shlib($1_xserver_t)
allow $1_xserver_t texrel_shlib_t:file execmod;
can_network($1_xserver_t)
allow $1_xserver_t port_type:tcp_socket name_connect;
can_ypbind($1_xserver_t)
allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
# for access within the domain
general_domain_access($1_xserver_t)
allow $1_xserver_t self:process execmem;
# Until the X module loader is fixed.
allow $1_xserver_t self:process execheap;
allow $1_xserver_t etc_runtime_t:file { getattr read };
ifelse($1, xdm, `
# The system role is authorised for the xdm and initrc domains
role system_r types xdm_xserver_t;
allow xdm_xserver_t init_t:fd use;
dontaudit xdm_xserver_t home_dir_type:dir { read search };
# Read all global and per user fonts
read_fonts($1_xserver_t, sysadm)
read_fonts($1_xserver_t, staff)
read_fonts($1_xserver_t, user)
', `
# The user role is authorized for this domain.
role $1_r types $1_xserver_t;
allow $1_xserver_t getty_t:fd use;
allow $1_xserver_t local_login_t:fd use;
allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
can_unix_connect($1_t, $1_xserver_t)
# Read fonts
read_fonts($1_xserver_t, $1)
# Access the home directory.
allow $1_xserver_t home_root_t:dir search;
allow $1_xserver_t $1_home_dir_t:dir { getattr search };
ifdef(`xauth.te', `
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
', `
allow $1_xserver_t $1_home_t:file { getattr read };
')dnl end ifdef xauth
ifdef(`userhelper.te', `
allow $1_xserver_t userhelper_conf_t:dir search;
')dnl end ifdef userhelper
')dnl end ifelse xdm
allow $1_xserver_t self:process setsched;
allow $1_xserver_t fs_t:filesystem getattr;
# Xorg wants to check if kernel is tainted
read_sysctl($1_xserver_t)
# Use capabilities.
# allow setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
# admin of APM bios?
# sys_nice is so that the X server can set a negative nice value
allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
allow $1_xserver_t nfs_t:dir { getattr search };
# memory_device_t access is needed if not using the frame buffer
#dontaudit $1_xserver_t memory_device_t:chr_file read;
allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
# net_bind_service is needed if you want your X server to allow TCP connections
# from other hosts, EG an XDM serving a network of X terms
# if you want good security you do not want this
# not sure why some people want chown, fsetid, and sys_tty_config.
#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
dontaudit $1_xserver_t self:capability chown;
# for nscd
dontaudit $1_xserver_t var_run_t:dir search;
allow $1_xserver_t mtrr_device_t:file rw_file_perms;
allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
allow $1_xserver_t device_t:lnk_file { getattr read };
allow $1_xserver_t devtty_t:chr_file rw_file_perms;
allow $1_xserver_t zero_device_t:chr_file { read write execute };
# Type for temporary files.
tmp_domain($1_xserver, `', `{ dir file sock_file }')
file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
ifelse($1, xdm, `
ifdef(`xdm.te', `
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
allow xdm_t $1_xserver_t:process signal;
can_unix_connect(xdm_t, xdm_xserver_t)
allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
allow xdm_xserver_t xdm_t:process signal;
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
')
', `
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
allow $1_t $1_xserver_t:process signal;
# Allow the user domain to connect to the X server.
can_unix_connect($1_t, $1_xserver_t)
allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
ifdef(`xdm.te', `
allow $1_t xdm_tmp_t:sock_file unlink;
allow $1_xserver_t xdm_var_run_t:dir search;
')
# Signal the user domain.
allow $1_xserver_t $1_t:process signal;
# Communicate via System V shared memory.
allow $1_xserver_t $1_t:shm rw_shm_perms;
allow $1_t $1_xserver_t:shm rw_shm_perms;
allow $1_xserver_t initrc_t:shm rw_shm_perms;
')dnl end ifelse xdm
# Create files in /var/log with the xserver_log_t type.
allow $1_xserver_t var_t:dir search;
file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
allow $1_xserver_t xserver_log_t:dir r_dir_perms;
# Access AGP device.
allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
# for other device nodes such as the NVidia binary-only driver
allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
# Access /proc/mtrr
allow $1_xserver_t proc_t:file rw_file_perms;
allow $1_xserver_t proc_t:lnk_file { getattr read };
# Access /proc/sys/dev
allow $1_xserver_t sysctl_dev_t:dir search;
allow $1_xserver_t sysctl_dev_t:file { getattr read };
# Access /proc/bus/pci
allow $1_xserver_t proc_t:dir r_dir_perms;
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir { create setattr };
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
# brought on by rhgb
allow $1_xserver_t mnt_t:dir search;
allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
# Run helper programs in $1_xserver_t.
allow $1_xserver_t { bin_t sbin_t }:dir search;
allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
allow $1_xserver_t bin_t:lnk_file read;
can_exec($1_xserver_t, { bin_t shell_exec_t })
# Connect to xfs.
ifdef(`xfs.te', `
can_unix_connect($1_xserver_t, xfs_t)
allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
# Bind to the X server socket in /tmp.
allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
')
read_locale($1_xserver_t)
# Type for tmpfs/shm files.
tmpfs_domain($1_xserver)
ifelse($1, xdm, `
ifdef(`xdm.te', `
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
')
', `
allow $1_xserver_t $1_t:shm rw_shm_perms;
rw_dir_file($1_xserver_t, $1_tmpfs_t)
')dnl end ifelse xdm
r_dir_file($1_xserver_t,sysfs_t)
# Use the mouse.
allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
# Allow xserver to read events - the synaptics touchpad
# driver reads raw events
allow $1_xserver_t event_device_t:chr_file rw_file_perms;
ifdef(`pamconsole.te', `
allow $1_xserver_t pam_var_console_t:dir search;
')
dontaudit $1_xserver_t selinux_config_t:dir search;
allow $1_xserver_t var_lib_t:dir search;
rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
')dnl end macro definition
', `
define(`xserver_domain',`')
')