#

# Macros for X server domains.

#

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser

#

#################################

#

# xserver_domain(domain_prefix)

#

# Define a derived domain for the X server when executed

# by a user domain (e.g. via startx).  See the xdm_t domain

# in domains/program/xdm.te if using an X Display Manager.

#

# The type declarations for the executable type for this program 

# and the log type are provided separately in domains/program/xserver.te. 

#

# FIXME!  The X server requires far too many privileges.

#

undefine(`xserver_domain')

ifdef(`xserver.te', `

define(`xserver_domain',`

# Derived domain based on the calling user domain and the program.

ifdef(`distro_redhat', `

type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;

allow $1_xserver_t sysctl_modprobe_t:file { getattr read };

ifdef(`rpm.te', `

allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };

allow $1_xserver_t rpm_tmpfs_t:file { read write };

allow $1_xserver_t rpm_t:fd use;

')

', `

type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;

')

# for SSP

allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };

# Transition from the user domain to this domain.

ifelse($1, xdm, `

ifdef(`xdm.te', `

domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)

')

', `

domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)

')dnl end ifelse xdm

can_exec($1_xserver_t, xserver_exec_t)

uses_shlib($1_xserver_t)

allow $1_xserver_t texrel_shlib_t:file execmod;

can_network($1_xserver_t)

allow $1_xserver_t port_type:tcp_socket name_connect;

can_ypbind($1_xserver_t)

allow $1_xserver_t xserver_port_t:tcp_socket name_bind;

# for access within the domain

general_domain_access($1_xserver_t)

allow $1_xserver_t self:process execmem;

# Until the X module loader is fixed.

allow $1_xserver_t self:process execheap;

allow $1_xserver_t etc_runtime_t:file { getattr read };

ifelse($1, xdm, `

# The system role is authorised for the xdm and initrc domains

role system_r types xdm_xserver_t;

allow xdm_xserver_t init_t:fd use;

dontaudit xdm_xserver_t home_dir_type:dir { read search };

# Read all global and per user fonts

read_fonts($1_xserver_t, sysadm)

read_fonts($1_xserver_t, staff)

read_fonts($1_xserver_t, user)

', `

# The user role is authorized for this domain.

role $1_r types $1_xserver_t;

allow $1_xserver_t getty_t:fd use;

allow $1_xserver_t local_login_t:fd use;

allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };

allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;

allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;

can_unix_connect($1_t, $1_xserver_t)

# Read fonts

read_fonts($1_xserver_t, $1)

# Access the home directory.

allow $1_xserver_t home_root_t:dir search;

allow $1_xserver_t $1_home_dir_t:dir { getattr search };

ifdef(`xauth.te', `

domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)

allow $1_xserver_t $1_xauth_home_t:file { getattr read };

', `

allow $1_xserver_t $1_home_t:file { getattr read };

')dnl end ifdef xauth

ifdef(`userhelper.te', `

allow $1_xserver_t userhelper_conf_t:dir search;

')dnl end ifdef userhelper

')dnl end ifelse xdm

allow $1_xserver_t self:process setsched;

allow $1_xserver_t fs_t:filesystem getattr;

# Xorg wants to check if kernel is tainted

read_sysctl($1_xserver_t)

# Use capabilities.

# allow setuid/setgid for the wrapper program to change UID

# sys_rawio is for iopl access - should not be needed for frame-buffer

# sys_admin, locking shared mem?  chowning IPC message queues or semaphores?

# admin of APM bios?

# sys_nice is so that the X server can set a negative nice value

allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };

allow $1_xserver_t nfs_t:dir { getattr search };

# memory_device_t access is needed if not using the frame buffer

#dontaudit $1_xserver_t memory_device_t:chr_file read;

allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };

# net_bind_service is needed if you want your X server to allow TCP connections

# from other hosts, EG an XDM serving a network of X terms

# if you want good security you do not want this

# not sure why some people want chown, fsetid, and sys_tty_config.

#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };

dontaudit $1_xserver_t self:capability chown;

# for nscd

dontaudit $1_xserver_t var_run_t:dir search;

allow $1_xserver_t mtrr_device_t:file rw_file_perms;

allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;

allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;

allow $1_xserver_t device_t:lnk_file { getattr read };

allow $1_xserver_t devtty_t:chr_file rw_file_perms;

allow $1_xserver_t zero_device_t:chr_file { read write execute };

# Type for temporary files.

tmp_domain($1_xserver, `', `{ dir file sock_file }')

file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)

ifelse($1, xdm, `

ifdef(`xdm.te', `

allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;

allow xdm_t xdm_xserver_t:unix_stream_socket connectto;

allow xdm_t $1_xserver_t:process signal;

can_unix_connect(xdm_t, xdm_xserver_t)

allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;

allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;

allow xdm_xserver_t xdm_t:process signal;

allow xdm_xserver_t xdm_t:shm rw_shm_perms;

allow xdm_t xdm_xserver_t:shm rw_shm_perms;

dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };

')

', `

allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;

allow $1_t xdm_xserver_t:unix_stream_socket connectto;

allow $1_t $1_xserver_t:process signal;

# Allow the user domain to connect to the X server.

can_unix_connect($1_t, $1_xserver_t)

allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;

allow $1_t $1_xserver_tmp_t:dir r_dir_perms;

ifdef(`xdm.te', `

allow $1_t xdm_tmp_t:sock_file unlink;

allow $1_xserver_t xdm_var_run_t:dir search;

')

# Signal the user domain.

allow $1_xserver_t $1_t:process signal;

# Communicate via System V shared memory.

allow $1_xserver_t $1_t:shm rw_shm_perms;

allow $1_t $1_xserver_t:shm rw_shm_perms;

allow $1_xserver_t initrc_t:shm rw_shm_perms;

')dnl end ifelse xdm

# Create files in /var/log with the xserver_log_t type.

allow $1_xserver_t var_t:dir search;

file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)

allow $1_xserver_t xserver_log_t:dir r_dir_perms;

# Access AGP device.

allow $1_xserver_t agp_device_t:chr_file rw_file_perms;

# for other device nodes such as the NVidia binary-only driver

allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;

# Access /proc/mtrr

allow $1_xserver_t proc_t:file rw_file_perms;

allow $1_xserver_t proc_t:lnk_file { getattr read };

# Access /proc/sys/dev

allow $1_xserver_t sysctl_dev_t:dir search;

allow $1_xserver_t sysctl_dev_t:file { getattr read };

# Access /proc/bus/pci

allow $1_xserver_t proc_t:dir r_dir_perms;

# Create and access /dev/dri devices.

allow $1_xserver_t device_t:dir { create setattr };

file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)

# brought on by rhgb

allow $1_xserver_t mnt_t:dir search;

allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };

# Run helper programs in $1_xserver_t.

allow $1_xserver_t { bin_t sbin_t }:dir search;

allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };

allow $1_xserver_t bin_t:lnk_file read;

can_exec($1_xserver_t, { bin_t shell_exec_t })

# Connect to xfs.

ifdef(`xfs.te', `

can_unix_connect($1_xserver_t, xfs_t)

allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;

allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;

# Bind to the X server socket in /tmp.

allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;

')

read_locale($1_xserver_t)

# Type for tmpfs/shm files.

tmpfs_domain($1_xserver)

ifelse($1, xdm, `

ifdef(`xdm.te', `

allow xdm_xserver_t xdm_t:shm rw_shm_perms;

allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;

')

', `

allow $1_xserver_t $1_t:shm rw_shm_perms;

rw_dir_file($1_xserver_t, $1_tmpfs_t)

')dnl end ifelse xdm

r_dir_file($1_xserver_t,sysfs_t)

# Use the mouse.

allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;

# Allow xserver to read events - the synaptics touchpad

# driver reads raw events

allow $1_xserver_t event_device_t:chr_file rw_file_perms;

ifdef(`pamconsole.te', `

allow $1_xserver_t pam_var_console_t:dir search;

')

dontaudit $1_xserver_t selinux_config_t:dir search;

allow $1_xserver_t var_lib_t:dir search;

rw_dir_create_file($1_xserver_t, xkb_var_lib_t)

')dnl end macro definition

', `

define(`xserver_domain',`')

')