## X Windows Server ######################################## ## ## Rules required for using the X Windows server ## and environment, for restricted users. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_restricted_role',` gen_require(` type xauth_t, iceauth_t; attribute dridomain, x_userdomain; ') role $1 types { xauth_t iceauth_t }; typeattribute $2 x_userdomain, dridomain; xserver_common_x_domain_template(user,$2) xserver_stream_connect_xdm($2) xserver_xdm_append_log($2) xserver_dri_domain($2) ') ######################################## ## ## Domain wants to use direct io devices ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dri_domain',` gen_require(` attribute dridomain; ') typeattribute $1 dridomain; ') ######################################## ## ## Rules required for using the X Windows server ## and environment. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') xserver_restricted_role($1, $2) # Communicate via System V shared memory. allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; allow $2 iceauth_home_t:file relabel_file_perms; allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file relabel_file_perms; mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) allow $2 user_fonts_t:lnk_file read_lnk_file_perms; relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) ') ####################################### ## ## Create sessions on the X server, with read-only ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_ro_session',` gen_require(` type xserver_t, xserver_tmp_t, xserver_tmpfs_t; ') # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; allow xserver_t $2:file rw_file_perms; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; allow $1 xserver_t:process signal; # Read /tmp/.X0-lock allow $1 xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; allow $1 xserver_tmpfs_t:file read_file_perms; ') ####################################### ## ## Create sessions on the X server, with read and write ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_rw_session',` gen_require(` type xserver_t, xserver_tmpfs_t; ') xserver_ro_session($1, $2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file { map rw_file_perms }; ') ####################################### ## ## Create non-drawing client sessions on an X server. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_non_drawing_client',` gen_require(` class x_drawable { getattr get_property }; class x_extension { query use }; class x_gc { create setattr }; class x_property read; type xserver_t, xdm_var_run_t; type xextension_t, xproperty_t, root_xdrawable_t; ') allow $1 self:x_gc { create setattr }; allow $1 xdm_var_run_t:dir search_dir_perms; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; allow $1 root_xdrawable_t:x_drawable { getattr get_property }; allow $1 xproperty_t:x_property read; ') ####################################### ## ## Create full client sessions ## on a user X server. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $1 self:shm create_shm_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $1 xauth_home_t:file read_file_perms; allow $1 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; userdom_search_user_tmp_dirs($1) userdom_rw_user_tmp_sock_files($1) dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($1) miscfiles_read_fonts($1) userdom_search_user_home_dirs($1) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) xserver_read_xdm_tmp_files($1) # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file mmap_rw_file_perms; ') ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## # template(`xserver_common_x_domain_template',` gen_require(` type root_xdrawable_t, xdm_t, xserver_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; attribute x_domain, input_xevent_type; attribute xdrawable_type, xcolormap_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; class x_client destroy; class x_server manage; class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; class x_pointer { get_property set_property manage }; class x_keyboard { read manage freeze }; ') ############################## # # Local Policy # # Type attributes typeattribute $2 x_domain; typeattribute $2 xdrawable_type, xcolormap_type; # X Properties # disable property transitions for the time being. # type_transition $2 xproperty_t:x_property $1_xproperty_t; # X Windows # new windows have the domain type type_transition $2 root_xdrawable_t:x_drawable $2; # X Input # distinguish input events type_transition $2 input_xevent_t:x_event $1_input_xevent_t; # can send own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; # can receive own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; # can receive default events allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; allow $2 xdm_t:x_drawable { hide read add_child manage }; allow $2 xdm_t:x_client destroy; allow $2 root_xdrawable_t:x_drawable write; allow $2 xserver_t:x_server manage; allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show }; allow $2 xserver_t:x_pointer { get_property set_property manage }; allow $2 xserver_t:x_keyboard { read manage freeze }; ') ####################################### ## ## Template for creating the set of types used ## in an X windows domain. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## # template(`xserver_object_types_template',` gen_require(` attribute xproperty_type, input_xevent_type, xevent_type; ') ############################## # # Declarations # # Types for properties type $1_xproperty_t, xproperty_type; ubac_constrained($1_xproperty_t) # Types for events type $1_input_xevent_t, input_xevent_type, xevent_type; ubac_constrained($1_input_xevent_t) ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # template(`xserver_user_x_domain_template',` gen_require(` type xdm_t, xserver_tmpfs_t; type xdm_home_t; type xauth_home_t, iceauth_home_t, xserver_t; ') allow $2 self:shm create_shm_perms; allow $2 self:unix_dgram_socket create_socket_perms; allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; xserver_filetrans_home_content($2) # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; userdom_search_user_tmp_dirs($2) userdom_rw_user_tmp_sock_files($2) dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($2) miscfiles_read_fonts($2) userdom_search_user_home_dirs($2) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) xserver_ro_session($2, $3) xserver_use_user_fonts($2) userdom_read_user_tmp_files($2) xserver_read_xdm_pid($2) xserver_xdm_append_log($2) # X object manager xserver_object_types_template($1) xserver_common_x_domain_template($1, $2) # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file mmap_rw_file_perms; ') tunable_policy(`selinuxuser_direct_dri_enabled',` dev_rw_dri($2) ') ') ######################################## ## ## Read user fonts, user font configuration, ## and manage the user font cache. ## ## ##

## Read user fonts, user font configuration, ## and manage the user font cache. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## # interface(`xserver_use_user_fonts',` gen_require(` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; allow $1 user_fonts_t:lnk_file read_lnk_file_perms; # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) # Read per user font config allow $1 user_fonts_config_t:dir list_dir_perms; allow $1 user_fonts_config_t:file read_file_perms; userdom_search_user_home_dirs($1) ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans_xdm',` gen_require(` type xdm_t, xdm_exec_t; ') domtrans_pattern($1, xdm_exec_t, xdm_t) ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans_xauth',` gen_require(` type xauth_t, xauth_exec_t; ') domtrans_pattern($1, xauth_exec_t, xauth_t) ') ###################################### ## ## Allow exec of Xauthority program.. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_exec_xauth',` gen_require(` type xauth_t, xauth_exec_t; ') can_exec($1, xauth_exec_t) ') ######################################## ## ## Dontaudit exec of Xauthority program. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_exec_xauth',` gen_require(` type xauth_exec_t; ') dontaudit $1 xauth_exec_t:file execute; ') ######################################## ## ## Create a Xauthority file in the user home directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` type xauth_home_t; ') userdom_user_home_dir_filetrans($1, xauth_home_t, file) ') ######################################## ## ## Create a Xauthority file in the admin home directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_admin_home_dir_filetrans_xauth',` gen_require(` type xauth_home_t; ') userdom_admin_home_dir_filetrans($1, xauth_home_t, file) ') ######################################## ## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_all_users_fonts',` refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') xserver_use_user_fonts($1) ') ######################################## ## ## Read all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_xauth',` gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) xserver_read_xdm_pid($1) ') ######################################## ## ## Manage all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_user_xauth',` gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file manage_file_perms; ') ######################################## ## ## Set the attributes of the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_console_pipes',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; ') ######################################## ## ## Read and write the X windows console named pipe. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_console',` gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Read XDM state files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_state_xdm',` gen_require(` type xdm_t; ') kernel_search_proc($1) ps_process_pattern($1, xdm_t) ') ######################################## ## ## Use file descriptors for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_use_xdm_fds',` gen_require(` type xdm_t; ') allow $1 xdm_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit ## XDM file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_use_xdm_fds',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fd use; ') ######################################## ## ## Read and write XDM unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_pipes',` gen_require(` type xdm_t; ') allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and write ## XDM unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_xdm_pipes',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Read xdm process state files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_state',` gen_require(` type xdm_t; ') kernel_search_proc($1) allow $1 xdm_t:dir list_dir_perms; allow $1 xdm_t:file read_file_perms; allow $1 xdm_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Create, read, write, and delete ## xdm_spool files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xdm_spool_files',` gen_require(` type xdm_spool_t; ') files_search_spool($1) manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ') ######################################## ## ## Connect to XDM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_var_run_t; ') files_search_tmp($1) files_search_pids($1) stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) userdom_stream_connect($1) ') ######################################## ## ## Accept a connection to XDM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_accept_xdm',` gen_require(` type xdm_t; ') allow $1 xdm_t:unix_stream_socket accept; ') ######################################## ## ## Allow domain to append XDM unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_append_xdm_stream_socket',` gen_require(` type xdm_t; ') allow $1 xdm_t:unix_stream_socket append; ') ######################################## ## ## Read XDM files in user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_home_files',` gen_require(` type xdm_home_t; ') userdom_search_user_home_dirs($1) allow $1 xdm_home_t:file read_file_perms; ') ######################################## ## ## Connect to the xdm dbus for service (acquire_svc). ## ## ## ## Domain allowed access. ## ## # interface(`xserver_connect_xdm_bus',` gen_require(` type xdm_t; class dbus acquire_svc; ') allow $1 xdm_t:dbus acquire_svc; ') ######################################## ## ## Read xserver configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_config',` gen_require(` type xserver_etc_t; ') files_search_etc($1) read_files_pattern($1, xserver_etc_t, xserver_etc_t) read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') ######################################## ## ## Manage xserver configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_config',` gen_require(` type xserver_etc_t; ') files_search_etc($1) manage_files_pattern($1, xserver_etc_t, xserver_etc_t) manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') ######################################## ## ## Create xserver configuration dirs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_create_config_dirs',` gen_require(` type xserver_etc_t; ') files_search_etc($1) manage_dirs_pattern($1, xserver_etc_t, xserver_etc_t) ') ######################################## ## ## Read xdm-writable configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_rw_config',` gen_require(` type xdm_rw_etc_t; ') files_search_etc($1) allow $1 xdm_rw_etc_t:file read_file_perms; ') ######################################## ## ## Search XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_search_xdm_tmp_dirs',` refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') userdom_search_user_tmp_dirs($1) ') ######################################## ## ## Set the attributes of XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_setattr_xdm_tmp_dirs',` refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') userdom_dontaudit_setattr_user_tmp($1) ') ######################################## ## ## Dont audit attempts to set the attributes of XDM temporary directories. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_xdm_tmp_dirs',` refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') userdom_dontaudit_setattr_user_tmp($1) ') ######################################## ## ## Create a named socket in a XDM ## temporary directory. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_create_xdm_tmp_sockets',` refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') userdom_create_user_tmp_sockets($1) ') ######################################## ## ## Read XDM pid files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_pid',` gen_require(` type xdm_var_run_t; ') files_search_pids($1) read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ') ######################################## ## ## Mmap XDM pid files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_map_xdm_pid',` gen_require(` type xdm_var_run_t; ') allow $1 xdm_var_run_t:file map; ') ###################################### ## ## Dontaudit Read XDM pid files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_read_xdm_pid',` gen_require(` type xdm_var_run_t; ') dontaudit $1 xdm_var_run_t:dir search_dir_perms; dontaudit $1 xdm_var_run_t:file read_file_perms; ') ######################################## ## ## Read XDM var lib files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_lib_files',` gen_require(` type xdm_var_lib_t; ') read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ') ######################################## ## ## Read inherited XDM var lib files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_inherited_xdm_lib_files',` gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:file { read_inherited_file_perms map }; ') ######################################## ## ## Make an X session script an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`xserver_xsession_entry_type',` gen_require(` type xsession_exec_t; ') domain_entry_file($1, xsession_exec_t) ') ######################################## ## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute an Xsession in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # interface(`xserver_xsession_spec_domtrans',` gen_require(` type xsession_exec_t; ') domain_trans($1, xsession_exec_t, $2) ') ######################################## ## ## Get the attributes of X server logs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_getattr_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file getattr_file_perms; ') ####################################### ## ## Allow domain to read X server logs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to write the X server ## log files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_write_log',` gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:file rw_inherited_file_perms; ') ######################################## ## ## Delete X server log files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_delete_log',` gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:dir list_dir_perms; delete_files_pattern($1, xserver_log_t, xserver_log_t) delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) ') ######################################## ## ## Read X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xkb_libs',` gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ') ######################################## ## ## Manage X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xkb_libs',` gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ') ######################################## ## ## dontaudit access checks X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dontaudit_xkb_libs_access',` gen_require(` type xkb_var_lib_t; ') dontaudit $1 xkb_var_lib_t:dir audit_access; dontaudit $1 xkb_var_lib_t:file audit_access; ') ######################################## ## ## Read xdm config files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_read_xdm_etc_files',` gen_require(` type xdm_etc_t; ') files_search_etc($1) read_files_pattern($1, xdm_etc_t, xdm_etc_t) read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) ') ######################################## ## ## Manage xdm config files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_manage_xdm_etc_files',` gen_require(` type xdm_etc_t; ') files_search_etc($1) manage_files_pattern($1, xdm_etc_t, xdm_etc_t) ') ######################################## ## ## Watch xdm config directories. ## ## ## ## Domain to not audit ## ## # interface(`xserver_watch_xdm_etc_dirs',` gen_require(` type xdm_etc_t; ') files_search_etc($1) watch_dirs_pattern($1, xdm_etc_t, xdm_etc_t) ') ######################################## ## ## Read xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_xdm_tmp_files',` refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.') userdom_read_user_tmpfs_files($1) ') ######################################## ## ## Do not audit attempts to read xdm temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_read_xdm_tmp_files',` refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.') userdom_dontaudit_read_user_tmp_files($1) ') ######################################## ## ## Read write xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_tmp_files',` refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') userdom_rw_user_tmpfs_files($1) ') ######################################## ## ## Create, read, write, and delete xdm temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xdm_tmp_files',` refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') userdom_manage_user_tmp_files($1) ') ######################################## ## ## Create, read, write, and delete xdm temporary dirs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_relabel_xdm_tmp_dirs',` refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') userdom_relabel_user_tmp_dirs($1) ') ######################################## ## ## Create, read, write, and delete xdm temporary dirs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_xdm_tmp_dirs',` refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') userdom_manage_user_tmp_dirs($1) ') ######################################## ## ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.') userdom_dontaudit_user_getattr_tmp_sockets($1) ') ######################################## ## ## Execute the X server in the X server domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_domtrans',` gen_require(` type xserver_t, xserver_exec_t; ') allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) allow xserver_t $1:process getpgid; ') ######################################## ## ## Allow SELinux Domain trasition ## into confined domain with NoNewPrivileges ## Systemd Security feature. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_nnp_daemon_domain',` gen_require(` type xserver_t; ') allow $1 xserver_t:process2 { nnp_transition nosuid_transition }; ') ######################################## ## ## Allow execute the X server. ## ## ## ## Domain allowed to transition. ## ## # interface(`xserver_exec',` gen_require(` type xserver_exec_t; ') can_exec($1, xserver_exec_t) ') ######################################## ## ## Signal X servers ## ## ## ## Domain allowed access. ## ## # interface(`xserver_signal',` gen_require(` type xserver_t; ') allow $1 xserver_t:process signal; ') ######################################## ## ## Send a null signal to xdm processes. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_xdm_signull',` gen_require(` type xdm_t; ') allow $1 xdm_t:process signull; ') ######################################## ## ## Kill X servers ## ## ## ## Domain allowed access. ## ## # interface(`xserver_kill',` gen_require(` type xserver_t; ') allow $1 xserver_t:process sigkill; ') ######################################## ## ## Read and write X server Sys V Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_shm',` gen_require(` type xserver_t; ') allow $1 xserver_t:shm rw_shm_perms; ') ######################################## ## ## Do not audit attempts to read and write to ## X server sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_tcp_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:tcp_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and write X server ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_rw_stream_sockets',` gen_require(` type xserver_t; ') dontaudit $1 xserver_t:unix_stream_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and write xdm ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_xdm_rw_stream_sockets',` gen_require(` type xdm_t; ') dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write }; ') ######################################## ## ## Connect to the X server over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_stream_connect',` gen_require(` type xserver_t, xserver_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) allow xserver_t $1:shm rw_shm_perms; ') ###################################### ## ## Dontaudit attempts to connect to xserver ## over a unix stream socket. ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_stream_connect',` gen_require(` type xserver_t, xserver_tmp_t; ') stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ') ######################################## ## ## Read X server temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_tmp_files',` gen_require(` type xserver_tmp_t; ') allow $1 xserver_tmp_t:file read_file_perms; files_search_tmp($1) ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the ## virtual core keyboard and virtual core pointer devices. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_manage_core_devices',` gen_require(` type xserver_t, root_xdrawable_t, xevent_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; class x_screen all_x_screen_perms; class x_drawable { manage }; attribute x_domain; class x_drawable all_x_drawable_perms; class x_resource all_x_resource_perms; class x_synthetic_event all_x_synthetic_event_perms; class x_cursor all_x_cursor_perms; ') allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; allow $1 xserver_t:{ x_screen } setattr; allow $1 x_domain:x_cursor all_x_cursor_perms; allow $1 x_domain:x_drawable all_x_drawable_perms; allow $1 x_domain:x_resource all_x_resource_perms; allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_unconfined',` gen_require(` attribute x_domain, xserver_unconfined_type; ') typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') ######################################## ## ## Dontaudit append to .xsession-errors file ## ## ## ## Domain to not audit ## ## # interface(`xserver_dontaudit_append_xdm_home_files',` gen_require(` type xdm_home_t; ') dontaudit $1 xdm_home_t:file rw_inherited_file_perms; tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files($1) ') ') ######################################## ## ## append to .xsession-errors file ## ## ## ## Domain to not audit ## ## # interface(`xserver_append_xdm_home_files',` gen_require(` type xdm_home_t, xserver_tmp_t; ') allow $1 xdm_home_t:file append_file_perms; allow $1 xserver_tmp_t:file append_file_perms; tunable_policy(`use_nfs_home_dirs',` fs_append_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_append_cifs_files($1) ') ') ####################################### ## ## Allow search the xdm_spool files ## ## ## ## Domain allowed access. ## ## # interface(`xserver_xdm_search_spool',` gen_require(` type xdm_spool_t; ') files_search_spool($1) search_dirs_pattern($1, xdm_spool_t, xdm_spool_t) ') ###################################### ## ## Allow read the xdm_spool files ## ## ## ## Domain allowed access. ## ## # interface(`xserver_xdm_read_spool',` gen_require(` type xdm_spool_t; ') files_search_spool($1) read_files_pattern($1, xdm_spool_t, xdm_spool_t) ') ######################################## ## ## Manage the xdm_spool files ## ## ## ## Domain allowed access. ## ## # interface(`xserver_xdm_manage_spool',` gen_require(` type xdm_spool_t; ') files_search_spool($1) manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ') ######################################## ## ## Send and receive messages from ## xdm over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dbus_chat_xdm',` gen_require(` type xdm_t; class dbus send_msg; ') allow $1 xdm_t:dbus send_msg; allow xdm_t $1:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## xdm over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_dbus_chat',` gen_require(` type xserver_t; class dbus send_msg; ') allow $1 xserver_t:dbus send_msg; allow xserver_t $1:dbus send_msg; ') ######################################## ## ## Read xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_pid',` gen_require(` type xserver_var_run_t; ') files_search_pids($1) read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## ## Execute xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # interface(`xserver_exec_pid',` gen_require(` type xserver_var_run_t; ') files_search_pids($1) exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## ## Write xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # interface(`xserver_write_pid',` gen_require(` type xserver_var_run_t; ') files_search_pids($1) write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## ## Allow append the xdm ## log files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_xdm_append_log',` gen_require(` type xdm_log_t; attribute xdmhomewriter; ') typeattribute $1 xdmhomewriter; allow $1 xdm_log_t:file append_inherited_file_perms; ') ######################################## ## ## Allow ioctl the xdm log files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_xdm_ioctl_log',` gen_require(` type xdm_log_t; ') allow $1 xdm_log_t:file ioctl; ') ######################################## ## ## Allow append the xdm ## tmp files. ## ## ## ## Domain to not audit ## ## # interface(`xserver_append_xdm_tmp_files',` refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.') userdom_append_user_tmp_files($1) ') ######################################## ## ## Read a user Iceauthority domain. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_read_user_iceauth',` gen_require(` type iceauth_home_t; ') # Read .Iceauthority file allow $1 iceauth_home_t:file read_file_perms; ') ######################################## ## ## Read/write inherited user homedir fonts. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_inherited_user_fonts',` gen_require(` type user_fonts_t, user_fonts_config_t; ') allow $1 user_fonts_t:file rw_inherited_file_perms; allow $1 user_fonts_t:file read_lnk_file_perms; allow $1 user_fonts_config_t:file rw_inherited_file_perms; ') ######################################## ## ## Search XDM var lib dirs. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_search_xdm_lib',` gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:dir search_dir_perms; ') ######################################## ## ## Make an X executable an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`xserver_entry_type',` gen_require(` type xserver_exec_t; ') domain_entry_file($1, xserver_exec_t) ') ######################################## ## ## Execute xsever in the xserver domain, and ## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the xserver domain. ## ## ## # interface(`xserver_run',` gen_require(` type xserver_t; ') xserver_domtrans($1) xserver_nnp_daemon_domain($1) role $2 types xserver_t; ') ######################################## ## ## Execute xsever in the xserver domain, and ## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the xserver domain. ## ## ## # interface(`xserver_run_xauth',` gen_require(` type xauth_t; ') xserver_domtrans_xauth($1) role $2 types xauth_t; ') ######################################## ## ## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## ## # interface(`xserver_read_home_fonts',` gen_require(` type user_fonts_t, user_fonts_config_t; ') list_dirs_pattern($1, user_fonts_t, user_fonts_t) read_files_pattern($1, user_fonts_t, user_fonts_t) read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ') ######################################## ## ## Map user homedir fonts. ## ## ## ## Domain allowed access. ## ## ## # interface(`xserver_map_user_fonts',` gen_require(` type user_fonts_t, user_fonts_cache_t; ') allow $1 user_fonts_t:file map; allow $1 user_fonts_cache_t:file map; ') ######################################## ## ## Manage user fonts dir. ## ## ## ## Domain allowed access. ## ## ## # interface(`xserver_manage_user_fonts_dir',` gen_require(` type user_fonts_t; ') manage_dirs_pattern($1, user_fonts_t, user_fonts_t) files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") ') ######################################## ## ## Manage user homedir fonts. ## ## ## ## Domain allowed access. ## ## ## # interface(`xserver_manage_home_fonts',` gen_require(` type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; ') manage_dirs_pattern($1, user_fonts_t, user_fonts_t) manage_files_pattern($1, user_fonts_t, user_fonts_t) manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d") # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") # userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ') ####################################### ## ## Transition to xserver .fontconfig named content ## ## ## ## Domain allowed access. ## ## # interface(`xserver_filetrans_fonts_cache_home_content',` gen_require(` type user_fonts_cache_t; ') userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ') ######################################## ## ## Transition to xserver named content ## ## ## ## Domain allowed access. ## ## # interface(`xserver_filetrans_home_content',` gen_require(` type xdm_home_t, xauth_home_t, iceauth_home_t; type user_home_t, user_fonts_t, user_fonts_cache_t; type user_fonts_config_t; ') userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") userdom_user_home_dir_filetrans($1, xdm_home_t, file, "xsession-errors") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".vnc") userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") optional_policy(` gnome_data_filetrans($1, user_fonts_t, dir, "fonts") ') userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") ') ######################################## ## ## Create xserver content in admin home ## directory with a named file transition. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_filetrans_admin_home_content',` gen_require(` type xdm_home_t, xauth_home_t, iceauth_home_t; type user_home_t, user_fonts_t, user_fonts_cache_t; type user_fonts_config_t; ') userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, "xsession-errors") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".vnc") userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") optional_policy(` gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") ') ') ######################################## ## ## Create objects in a xdm temporary directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`xserver_xdm_tmp_filetrans',` refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.') userdom_user_tmp_filetrans($1,$2, $3, $4) ') ######################################## ## ## Dontaudit search ssh home directory ## ## ## ## Domain to not audit. ## ## # interface(`xserver_dontaudit_search_log',` gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:dir search_dir_perms; ') ######################################## ## ## Manage keys for xdm. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_rw_xdm_keys',` gen_require(` type xdm_t; ') allow $1 xdm_t:key { read write setattr }; ') ###################################### ## ## Transition to xdm named content ## ## ## ## Domain allowed access. ## ## # interface(`xserver_filetrans_named_content',` gen_require(` type xdm_var_run_t; ') files_pid_filetrans($1, xdm_var_run_t, dir, "gdm") ')