Chris PeBenito 0fbfa5
#DESC rhgb - Red Hat Graphical Boot
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# Depends: xdm.te gnome-pty-helper.te xserver.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
daemon_base_domain(rhgb)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow rhgb_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
Chris PeBenito 0fbfa5
domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
Chris PeBenito 0fbfa5
can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow rhgb_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for gnome-pty-helper
Chris PeBenito 0fbfa5
gph_domain(rhgb, system)
Chris PeBenito 0fbfa5
allow initrc_t rhgb_gph_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow rhgb_t tty_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(rhgb_t)
Chris PeBenito 0fbfa5
allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for ramfs file systems
Chris PeBenito 0fbfa5
allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
Chris PeBenito 0fbfa5
allow rhgb_t ramfs_t:sock_file create_file_perms;
Chris PeBenito 0fbfa5
allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
Chris PeBenito 0fbfa5
allow insmod_t ramfs_t:file write;
Chris PeBenito 0fbfa5
allow insmod_t rhgb_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t ramfs_t:filesystem { mount unmount };
Chris PeBenito 0fbfa5
allow rhgb_t mnt_t:dir { search mounton };
Chris PeBenito 0fbfa5
allow rhgb_t self:capability { sys_admin sys_tty_config };
Chris PeBenito 0fbfa5
dontaudit rhgb_t var_run_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network_client(rhgb_t)
Chris PeBenito 0fbfa5
can_ypbind(rhgb_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for fonts
Chris PeBenito 0fbfa5
allow rhgb_t usr_t:{ file lnk_file } { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for running setxkbmap
Chris PeBenito 0fbfa5
r_dir_file(rhgb_t, var_lib_xkb_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for localization
Chris PeBenito 0fbfa5
allow rhgb_t lib_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t initctl_t:fifo_file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hide_broken_symptoms', `
Chris PeBenito 0fbfa5
# it should not do this
Chris PeBenito 0fbfa5
dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
Chris PeBenito 0fbfa5
')dnl end hide_broken_symptoms
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_create_pty(rhgb)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t self:shm create_shm_perms;
Chris PeBenito 0fbfa5
allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_unix_connect(initrc_t, rhgb_t)
Chris PeBenito 0fbfa5
tmpfs_domain(rhgb)
Chris PeBenito 0fbfa5
allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t fonts_t:dir { getattr read search };
Chris PeBenito 0fbfa5
allow rhgb_t fonts_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for nscd
Chris PeBenito 0fbfa5
dontaudit rhgb_t var_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hide_broken_symptoms', `
Chris PeBenito 0fbfa5
# for a bug in the X server
Chris PeBenito 0fbfa5
dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
Chris PeBenito 0fbfa5
dontaudit insmod_t serial_device:chr_file { read write };
Chris PeBenito 0fbfa5
dontaudit mount_t rhgb_gph_t:fd use;
Chris PeBenito 0fbfa5
dontaudit mount_t rhgb_t:unix_stream_socket { read write };
Chris PeBenito 0fbfa5
dontaudit mount_t ptmx_t:chr_file { read write };
Chris PeBenito 0fbfa5
')dnl end hide_broken_symptoms
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`firstboot.te', `
Chris PeBenito 0fbfa5
allow rhgb_t firstboot_rw_t:file r_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow rhgb_t tmp_t:dir search;
Chris PeBenito 0fbfa5
allow rhgb_t xdm_xserver_t:process sigkill;
Chris PeBenito 0fbfa5
allow domain rhgb_devpts_t:chr_file { read write };
Chris PeBenito 0fbfa5
ifdef(`fsadm.te', `
Chris PeBenito 0fbfa5
dontaudit fsadm_t ramfs_t:fifo_file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit rhgb_t default_t:file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t ramfs_t:dir search;
Chris PeBenito 0fbfa5
allow initrc_t ramfs_t:sock_file write;
Chris PeBenito 0fbfa5
allow initrc_t rhgb_t:unix_stream_socket { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rhgb_t default_t:file { getattr read };