rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/macros/program/x_client_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   512e8cf9ff0c4ee349a9c1a402b1c31d91165df7
  2.   strict
  3.   macros
  4.   program
  5.   x_client_macros.te
Blob History Raw
Chris PeBenito 0fbfa5 
#
Chris PeBenito 2705f9 
# Macros for X client programs
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author: Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
Chris PeBenito 0fbfa5 
# and Timothy Fraser
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# Allows clients to write to the X server's shm
Chris PeBenito 2705f9 
bool allow_write_xshm false;
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5 
define(`xsession_domain', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Connect to xserver
Chris PeBenito 0fbfa5 
can_unix_connect($1_t, $2_xserver_t)
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# Read /tmp/.X0-lock
Chris PeBenito 2705f9 
allow $1_t $2_xserver_tmp_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Signal Xserver
Chris PeBenito 0fbfa5 
allow $1_t $2_xserver_t:process signal;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# Xserver read/write client shm
Chris PeBenito 0fbfa5 
allow $2_xserver_t $1_t:fd use;
Chris PeBenito 0fbfa5 
allow $2_xserver_t $1_t:shm rw_shm_perms;
Chris PeBenito 0fbfa5 
allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# Client read xserver shm
Chris PeBenito 2705f9 
allow $1_t $2_xserver_t:fd use;
Chris PeBenito 0fbfa5 
allow $1_t $2_xserver_t:shm r_shm_perms;
Chris PeBenito 0fbfa5 
allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Client write xserver shm
Chris PeBenito 2705f9 
if (allow_write_xshm) {
Chris PeBenito 2705f9 
allow $1_t $2_xserver_t:shm rw_shm_perms;
Chris PeBenito 2705f9 
allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
Chris PeBenito 2705f9 
}
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 2705f9 
# x_client_domain(client, role)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 2705f9 
# Defines common X access rules for the client domain
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`x_client_domain',`
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# Create socket to communicate with X server
Chris PeBenito 2705f9 
allow $1_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 2705f9 
allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# Read .Xauthority file
Chris PeBenito 0fbfa5 
ifdef(`xauth.te',`
Chris PeBenito 2705f9 
allow $1_t home_root_t:dir { search getattr };
Chris PeBenito 2705f9 
allow $1_t $2_home_dir_t:dir { search getattr };
Chris PeBenito 2705f9 
allow $1_t $2_xauth_home_t:file { getattr read };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for .xsession-errors
Chris PeBenito 2705f9 
dontaudit $1_t $2_home_t:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for X over a ssh tunnel
Chris PeBenito 0fbfa5 
ifdef(`ssh.te', `
Chris PeBenito 2705f9 
can_tcp_connect($1_t, sshd_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Use a separate type for tmpfs/shm pseudo files.
Chris PeBenito 2705f9 
tmpfs_domain($1)
Chris PeBenito 2705f9 
allow $1_t self:shm create_shm_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# allow X client to read all font files
Chris PeBenito 2705f9 
read_fonts($1_t, $2)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Allow connections to X server.
Chris PeBenito 0fbfa5 
ifdef(`xserver.te', `
Chris PeBenito 2705f9 
allow $1_t tmp_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`xdm.te', `
Chris PeBenito 2705f9 
xsession_domain($1, xdm)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for when /tmp/.X11-unix is created by the system
Chris PeBenito 2705f9 
can_pipe_xdm($1_t)
Chris PeBenito 2705f9 
allow $1_t xdm_tmp_t:dir search;
Chris PeBenito 2705f9 
allow $1_t xdm_tmp_t:sock_file { read write };
Chris PeBenito 2705f9 
dontaudit $1_t xdm_t:tcp_socket { read write };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`startx.te', `
Chris PeBenito 2705f9 
xsession_domain($1, $2)
Chris PeBenito 0fbfa5 
')dnl end startx
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end xserver
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end x_client macro

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation