Blob Blame History Raw
#
# Macros for X client programs ($2 etc)
#

#
# Author: Russell Coker <russell@coker.com.au>
# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
# and Timothy Fraser 
#

define(`xsession_domain', `

# Connect to xserver
can_unix_connect($1_t, $2_xserver_t)

# /tmp/.ICE_unix
allow $1_t $2_xserver_tmp_t:dir search;
allow $1_t $2_xserver_tmp_t:sock_file rw_file_perms;

# Stat /tmp/.X0-lock
allow $1_t $2_xserver_tmp_t:file getattr;

# Signal Xserver
allow $1_t $2_xserver_t:process signal;

# Use file descriptors created by each other.
allow $1_t $2_xserver_t:fd use;
allow $2_xserver_t $1_t:fd use;

# Xserver read/write parent shm
allow $2_xserver_t $1_t:shm rw_shm_perms;
allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;

# Parent read xserver shm
allow $1_t $2_xserver_t:shm r_shm_perms;
allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
')

#
# x_client_domain(domain_prefix)
#
# Define a derived domain for an X program when executed by
# a user domain.  
#
# The type declaration for the executable type for this program ($2_exec_t)
# must be provided separately!
#
# The first parameter is the base name for the domain/role (EG user or sysadm)
# The second parameter is the program name (EG $2)
# The third parameter is the attributes for the domain (if any)
#
define(`x_client_domain',`
# Derived domain based on the calling user domain and the program.
type $1_$2_t, domain, nscd_client_domain $3;

ifelse(index(`$3', `transitionbool'), -1, `
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
can_exec($1_$2_t, $2_exec_t)
', `
# Only do it once
ifelse($1, user, `
bool disable_$2 false;
')
# Transition from the user domain to the derived domain.
if (! disable_$2) {
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
can_exec($1_$2_t, $2_exec_t)
}
')

# The user role is authorized for this domain.
role $1_r types $1_$2_t;

# This domain is granted permissions common to most domains (including can_net)
can_network($1_$2_t)
can_ypbind($1_$2_t)
allow $1_$2_t self:process { fork signal_perms getsched };
allow $1_$2_t self:unix_dgram_socket create_socket_perms;
allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow $1_$2_t self:fifo_file rw_file_perms;
allow $1_$2_t etc_runtime_t:file { getattr read };
allow $1_$2_t etc_t:lnk_file read;
allow $1_$2_t fs_t:filesystem getattr;
access_terminal($1_$2_t, $1)
read_locale($1_$2_t)
r_dir_file($1_$2_t, readable_t)
allow $1_$2_t proc_t:dir search;
allow $1_$2_t proc_t:lnk_file read;
allow $1_$2_t self:dir search;
allow $1_$2_t self:lnk_file read;
read_sysctl($1_$2_t)

ifdef(`xauth.te',`
allow $1_$2_t $1_xauth_home_t:file { getattr read };
')

# Allow the user domain to send any signal to the $2 process.
allow $1_t $1_$2_t:process signal_perms;

# Allow the user domain to read the /proc/PID directory for 
# the $2 process.
allow $1_t $1_$2_t:dir r_dir_perms;
allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;

# Allow use of /dev/zero by ld.so.
allow $1_$2_t device_t:dir search;
allow $1_$2_t zero_device_t:chr_file rw_file_perms;
allow $1_$2_t zero_device_t:chr_file x_file_perms;

# allow using shared libraries and running programs
uses_shlib($1_$2_t)
allow $1_$2_t { bin_t sbin_t }:dir search;
allow $1_$2_t bin_t:lnk_file read;
can_exec($1_$2_t, { shell_exec_t bin_t })
allow $1_$2_t etc_t:file { getattr read };

# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
allow $1_$2_t privfd:fd use;

# for .xsession-errors
dontaudit $1_$2_t $1_home_t:file write;

# for X over a ssh tunnel
ifdef(`ssh.te', `
can_tcp_connect($1_$2_t, sshd_t)
')

# Read the home directory, e.g. for .Xauthority and to get to config files
allow $1_$2_t home_root_t:dir { search getattr };

# Use a separate type for tmpfs/shm pseudo files.
tmpfs_domain($1_$2)

allow $1_$2_t self:shm create_shm_perms;

# allow X client to read all font files
r_dir_file($1_$2_t, fonts_t)

# Allow connections to X server.
ifdef(`xserver.te', `
allow $1_$2_t tmp_t:dir search;

ifdef(`xdm.te', `
xsession_domain($1_$2, xdm)

# for when /tmp/.X11-unix is created by the system
allow $1_$2_t xdm_t:fifo_file rw_file_perms;
allow $1_$2_t xdm_tmp_t:dir search;
allow $1_$2_t xdm_tmp_t:sock_file { read write };
allow $1_$2_t xdm_t:fd use;
dontaudit $1_$2_t xdm_t:tcp_socket { read write };
')

ifdef(`startx.te', `
xsession_domain($1_$2, $1)
')dnl end startx

')dnl end xserver

')dnl end x_client macro