#DESC XFS - X Font Server

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  

#           Russell Coker <russell@coker.com.au>

# X-Debian-Packages: xfs

#

#################################

#

# Rules for the xfs_t domain.

#

# xfs_t is the domain of the X font server.

# xfs_exec_t is the type of the xfs executable.

#

daemon_domain(xfs)

# for /tmp/.font-unix/fs7100

ifdef(`distro_debian', `

type xfs_tmp_t, file_type, sysadmfile, tmpfile;

allow xfs_t tmp_t:dir search;

file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)

', `

tmp_domain(xfs, `', `{dir sock_file}')

')

allow xfs_t { etc_t etc_runtime_t }:file { getattr read };

allow xfs_t proc_t:file { getattr read };

allow xfs_t self:process setpgid;

can_ypbind(xfs_t)

# Use capabilities.

allow xfs_t self:capability { setgid setuid };

# Bind to /tmp/.font-unix/fs-1.

allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;

allow xfs_t self:unix_stream_socket create_stream_socket_perms;

allow xfs_t self:unix_dgram_socket create_socket_perms;

# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*

allow xfs_t fonts_t:dir search;

allow xfs_t fonts_t:file { getattr read };

# Unlink the xfs socket.

allow initrc_t xfs_tmp_t:dir rw_dir_perms;

allow initrc_t xfs_tmp_t:dir rmdir;

allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };

allow initrc_t fonts_t:dir create_dir_perms;

allow initrc_t fonts_t:file create_file_perms;