diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index cbfc9d6..5a954dc 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1381,6 +1381,22 @@ interface(`dev_write_misc',`
########################################
##
+## Do not audit attempts to read and write miscellaneous devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_dontaudit_rw_misc',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
## Get the attributes of the mouse devices.
##
##
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 54c0cf8..5f1f1f8 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -138,6 +138,24 @@ interface(`storage_raw_write_fixed_disk',`
########################################
##
+## Do not audit attempts made by the caller to write
+## fixed disk device nodes.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`storage_dontaudit_write_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
+')
+
+########################################
+##
## Create block devices in /dev with the fixed disk type.
##
##
@@ -381,6 +399,23 @@ interface(`storage_set_scsi_generic_attributes',`
########################################
##
+## Do not audit attempts to read or write
+## SCSI generic device interfaces.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`storage_dontaudit_rw_scsi_generic',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
## Allow the caller to get the attributes of removable
## devices device nodes.
##
@@ -496,6 +531,22 @@ interface(`storage_raw_read_removable_device',`
########################################
##
+## Do not audit attempts to directly read removable devices.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`storage_dontaudit_raw_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file r_file_perms;
+')
+
+########################################
+##
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
@@ -518,6 +569,22 @@ interface(`storage_raw_write_removable_device',`
########################################
##
+## Do not audit attempts to directly write removable devices.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`storage_dontaudit_raw_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file { write append ioctl };
+')
+
+########################################
+##
## Allow the caller to directly read
## a tape device.
##
diff --git a/refpolicy/policy/modules/services/gpm.if b/refpolicy/policy/modules/services/gpm.if
index f54f007..7e0a886 100644
--- a/refpolicy/policy/modules/services/gpm.if
+++ b/refpolicy/policy/modules/services/gpm.if
@@ -2,6 +2,24 @@
########################################
##
+## Connect to GPM over a unix domain
+## stream socket.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`gpm_stream_connect',`
+ gen_require(`
+ type gpmctl_t, gpm_t;
+ ')
+
+ allow $1 gpmctl_t:sock_file { getattr write };
+ allow $1 gpm_t:unix_stream_socket connectto;
+')
+
+########################################
+##
## Get the attributes of the GPM
## control channel named socket.
##
@@ -12,7 +30,6 @@
interface(`gpm_getattr_gpmctl',`
gen_require(`
type gpmctl_t;
- class sock_file getattr;
')
dev_list_all_dev_nodes($1)
@@ -32,10 +49,8 @@ interface(`gpm_getattr_gpmctl',`
interface(`gpm_dontaudit_getattr_gpmctl',`
gen_require(`
type gpmctl_t;
- class sock_file getattr;
')
- dev_list_all_dev_nodes($1)
dontaudit $1 gpmctl_t:sock_file getattr;
')
@@ -51,7 +66,6 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
interface(`gpm_setattr_gpmctl',`
gen_require(`
type gpmctl_t;
- class sock_file setattr;
')
dev_list_all_dev_nodes($1)
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index 80006cf..ea49d15 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -28,12 +28,12 @@ files_lock_file(xdm_lock_t)
type xdm_rw_etc_t;
files_type(xdm_rw_etc_t)
-type xdm_var_run_t;
-files_type(xdm_var_run_t)
-
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
+type xdm_var_run_t;
+files_type(xdm_var_run_t)
+
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
@@ -46,11 +46,17 @@ files_tmpfs_file(xdm_tmpfs_t)
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_file_perms;
allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:tcp_socket create_stream_socket_perms;
+allow xdm_t self:udp_socket create_socket_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
# wdm has its own config dir /etc/X11/wdm
# this is ugly, daemons should not create files under /etc!
@@ -68,16 +74,61 @@ corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
corecmd_exec_sbin(xdm_t)
+corenet_tcp_sendrecv_generic_if(xdm_t)
+corenet_udp_sendrecv_generic_if(xdm_t)
+corenet_raw_sendrecv_generic_if(xdm_t)
+corenet_tcp_sendrecv_all_nodes(xdm_t)
+corenet_udp_sendrecv_all_nodes(xdm_t)
+corenet_raw_sendrecv_all_nodes(xdm_t)
+corenet_tcp_sendrecv_all_ports(xdm_t)
+corenet_udp_sendrecv_all_ports(xdm_t)
+corenet_non_ipsec_sendrecv(xdm_t)
+corenet_tcp_bind_all_nodes(xdm_t)
+corenet_udp_bind_all_nodes(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
+# xdm tries to bind to biff_port_t
+corenet_dontaudit_tcp_bind_all_ports(xdm_t)
dev_read_rand(xdm_t)
dev_read_urand(xdm_t)
+dev_read_sysfs(xdm_t)
+dev_getattr_framebuffer(xdm_t)
+dev_setattr_framebuffer(xdm_t)
+dev_getattr_mouse(xdm_t)
+dev_setattr_mouse(xdm_t)
+dev_rw_apm_bios(xdm_t)
+dev_setattr_apm_bios(xdm_t)
+dev_rw_dri_dev(xdm_t)
+dev_rw_agp_dev(xdm_t)
+dev_getattr_xserver_misc_dev(xdm_t)
+dev_setattr_xserver_misc_dev(xdm_t)
+dev_getattr_misc(xdm_t)
+dev_setattr_misc(xdm_t)
+dev_dontaudit_rw_misc(xdm_t)
+dev_getattr_video_dev(xdm_t)
+dev_setattr_video_dev(xdm_t)
+dev_getattr_scanner(xdm_t)
+dev_setattr_scanner(xdm_t)
+dev_getattr_snd_dev(xdm_t)
+dev_setattr_snd_dev(xdm_t)
+dev_getattr_power_management(xdm_t)
+dev_setattr_power_management(xdm_t)
+
+domain_use_wide_inherit_fd(xdm_t)
+# Do not audit denied probes of /proc.
+domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
+files_list_mnt(xdm_t)
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
files_read_usr_files(xdm_t)
+# Poweroff wants to create the /poweroff file when run from xdm
+files_create_boot_flag(xdm_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_search_auto_mountpoints(xdm_t)
selinux_get_fs_mount(xdm_t)
selinux_validate_context(xdm_t)
@@ -86,18 +137,54 @@ selinux_compute_create_context(xdm_t)
selinux_compute_relabel_context(xdm_t)
selinux_compute_user_contexts(xdm_t)
+storage_dontaudit_read_fixed_disk(xdm_t)
+storage_dontaudit_write_fixed_disk(xdm_t)
+storage_dontaudit_setattr_fixed_disk(xdm_t)
+storage_dontaudit_raw_read_removable_device(xdm_t)
+storage_dontaudit_raw_write_removable_device(xdm_t)
+storage_dontaudit_setattr_removable_device(xdm_t)
+storage_dontaudit_rw_scsi_generic(xdm_t)
+
+term_setattr_console(xdm_t)
+term_dontaudit_use_console(xdm_t)
+term_use_unallocated_tty(xdm_t)
+term_setattr_unallocated_ttys(xdm_t)
+
auth_rw_lastlog(xdm_t)
+auth_read_login_records(xdm_t)
auth_append_login_records(xdm_t)
+auth_manage_pam_pid(xdm_t)
+auth_exec_pam(xdm_t)
+auth_manage_pam_console_data(xdm_t)
init_rw_utmp(xdm_t)
-# for reboot
+init_use_script_pty(xdm_t)
+# Run telinit->init to shutdown.
+init_exec(xdm_t)
init_write_initctl(xdm_t)
+libs_use_ld_so(xdm_t)
+libs_use_shared_libs(xdm_t)
libs_exec_lib_files(xdm_t)
+logging_send_syslog_msg(xdm_t)
+logging_read_generic_logs(xdm_t)
+
+miscfiles_read_localization(xdm_t)
+miscfiles_read_fonts(xdm_t)
+
seutil_read_config(xdm_t)
seutil_read_default_contexts(xdm_t)
+sysnet_read_config(xdm_t)
+
+userdom_dontaudit_use_unpriv_user_fd(xdm_t)
+userdom_dontaudit_search_sysadm_home_dir(xdm_t)
+# for .dmrc
+userdom_read_unpriv_user_home_files(xdm_t)
+# Search /proc for any user domain processes.
+userdom_read_all_userdomains_state(xdm_t)
+
ifdef(`strict_policy',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_filetrans_lock(xdm_t,xdm_lock_t)
@@ -122,7 +209,18 @@ ifdef(`strict_policy',`
allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
+ domain_subj_id_change_exempt(xdm_t)
+ domain_role_change_exempt(xdm_t)
+ domain_obj_id_change_exempt(xdm_t)
+
+ auth_domtrans_chk_passwd(xdm_t)
+ auth_domtrans_pam_console(xdm_t)
+
xserver_dontaudit_read_all_users_iceauth(xdm_t)
+
+ optional_policy(`alsa',`
+ alsa_domtrans(xdm_t)
+ ')
')
ifdef(`targeted_policy',`
@@ -131,6 +229,12 @@ ifdef(`targeted_policy',`
unconfined_domtrans(xdm_t)
')
+optional_policy(`gpm',`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
+')
+
optional_policy(`hostname',`
hostname_exec(xdm_t)
')
@@ -143,14 +247,28 @@ optional_policy(`locallogin',`
locallogin_signull(xdm_t)
')
+optional_policy(`nscd',`
+ nscd_use_socket(xdm_t)
+')
+
+optional_policy(`selinuxutil',`
+ seutil_sigchld_newrole(xdm_t)
+')
+
+optional_policy(`udev',`
+ udev_read_db(xdm_t)
+')
+
optional_policy(`userhelper',`
userhelper_dontaudit_search_config(xdm_t)
')
+optional_policy(`usermanage',`
+ usermanage_read_crack_db(xdm_t)
+')
+
ifdef(`TODO',`
# cjp: TODO: integrate strict policy:
-daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
-
allow initrc_t xdm_var_run_t:fifo_file unlink;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
@@ -159,8 +277,6 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-can_network(xdm_t)
-
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -207,22 +323,9 @@ allow xdm_xserver_t sysadm_t:fd use;
rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
-allow xdm_t xdm_xserver_t:process sigkill;
-allow xdm_t xdm_xserver_tmp_t:file unlink;
-
-# Access devices.
-allow xdm_t console_device_t:chr_file setattr;
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-allow xdm_t framebuf_device_t:chr_file { getattr setattr };
-allow xdm_t mouse_device_t:chr_file { getattr setattr };
-allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
-allow xdm_t dri_device_t:chr_file rw_file_perms;
+
allow xdm_t device_t:dir rw_dir_perms;
-allow xdm_t agp_device_t:chr_file rw_file_perms;
-allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
-allow xdm_t v4l_device_t:chr_file { setattr getattr };
-allow xdm_t scanner_device_t:chr_file { setattr getattr };
-allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
can_resmgrd_connect(xdm_t)
# Access xdm log files.
@@ -243,14 +346,6 @@ allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
-ifdef(`gpm.te', `
-# Talk to the console mouse server.
-allow xdm_t gpmctl_t:sock_file { getattr setattr write };
-allow xdm_t gpm_t:unix_stream_socket connectto;
-')
-
-allow xdm_t sysfs_t:dir search;
-
# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
@@ -266,35 +361,12 @@ can_unix_connect(xdm_t, xfs_t)
# Signal any user domain.
allow xdm_t userdomain:process signal_perms;
-# Search /proc for any user domain processes.
-allow xdm_t userdomain:dir r_dir_perms;
-allow xdm_t userdomain:{ file lnk_file } r_file_perms;
-
-# Allow xdm access to the user domains
-allow xdm_t home_root_t:dir search;
-allow xdm_xserver_t home_root_t:dir search;
-
# Do not audit denied attempts to access devices.
-dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
-dontaudit xdm_t device_t:file_class_set rw_file_perms;
-dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
dontaudit xdm_t devpts_t:dir search;
-# Do not audit denied probes of /proc.
-dontaudit xdm_t domain:dir r_dir_perms;
-dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
-
-# Read fonts
-read_fonts(xdm_t)
-
# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;
-# Do not audit access to /root
-dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
-
# Do not audit user access to the X log files due to file handle inheritance
dontaudit unpriv_userdomain xserver_log_t:file { write append };
@@ -302,12 +374,6 @@ dontaudit unpriv_userdomain xserver_log_t:file { write append };
dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
dontaudit xdm_t mail_spool_t:file getattr;
-# Access sound device.
-allow xdm_t sound_device_t:chr_file { setattr getattr };
-
-# Allow setting of attributes on power management devices.
-allow xdm_t power_device_t:chr_file { getattr setattr };
-
# Run the X server in a derived domain.
xserver_domain(xdm)
@@ -317,28 +383,10 @@ allow xdm_xserver_t ramfs_t:file create_file_perms;
allow rhgb_t xdm_xserver_t:process signal;
')
-# Unrestricted inheritance.
-allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
-
-# Run xkbcomp.
-allow xdm_xserver_t var_lib_t:dir search;
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-
-optional_policy(`prelink',`
- prelink_object_file(xkb_var_lib_t)
-')
-
# Insert video drivers.
-allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
-domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
allow insmod_t xserver_log_t:file write;
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
-# Read /proc/dri/.*
-allow xdm_xserver_t proc_t:dir { search read };
-
# Search /var/run.
allow xdm_xserver_t var_run_t:dir search;
@@ -348,6 +396,7 @@ allow xdm_xserver_t var_run_t:dir search;
# (xauth?)
# Search home directories.
+allow xdm_xserver_t home_root_t:dir search;
allow xdm_xserver_t user_home_type:dir search;
allow xdm_xserver_t user_home_type:file { getattr read };
@@ -364,13 +413,9 @@ allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
can_exec(xdm_t, cifs_t)
}
-# for .dmrc
-allow xdm_t user_home_dir_type:dir { getattr search };
-allow xdm_t user_home_type:file { getattr read };
-
ifdef(`support_polyinstatiation', `
# xdm_t can polyinstantiate
-polyinstantiater(xdm_t)
+files_polyinstantiate_all(xdm_t)
# xdm needs access for linking .X11-unix to poly /tmp
allow xdm_t polymember:dir { add_name remove_name write };
allow xdm_t polymember:lnk_file { create unlink };
@@ -378,7 +423,6 @@ allow xdm_t polymember:lnk_file { create unlink };
allow xdm_t polymember:file { create getattr write };
')
-allow xdm_t mnt_t:dir { getattr read search };
#
# Wants to delete .xsession-errors file
#
@@ -386,46 +430,10 @@ allow xdm_t user_home_type:file unlink;
#
# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
#
-ifdef(`pam.te', `
-allow xdm_t pam_var_run_t:dir create_dir_perms;
-allow xdm_t pam_var_run_t:file create_file_perms;
allow pam_t xdm_t:fifo_file { getattr ioctl write };
-domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
-can_exec(xdm_t, pam_exec_t)
-# For pam_console
-rw_dir_create_file(xdm_t, pam_var_console_t)
-')
-
-# Pamconsole/alsa
-ifdef(`alsa.te', `
-domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
-') dnl ifdef
-
-allow xdm_t var_log_t:file { getattr read };
-allow xdm_t wtmp_t:file { getattr read };
-
-#
-# Poweroff wants to create the /poweroff file when run from xdm
-#
-file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
-
-#
-# xdm tries to bind to biff_port_t
-#
-dontaudit xdm_t port_type:tcp_socket name_bind;
# VNC v4 module in X server
-allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
-ifdef(`crack.te', `
-allow xdm_t crack_db_t:file r_file_perms;
-')
-
-# Run telinit->init to shutdown.
-can_exec(xdm_t, init_exec_t)
-allow xdm_t self:sem create_sem_perms;
-
-# Allow gdm to run gdm-binary
-can_exec(xdm_t, xdm_exec_t)
+corenet_tcp_bind_vnc_port(xdm_xserver_t)
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index f783f67..cdd8699 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -68,6 +68,7 @@ template(`xserver_common_domain_template',`
kernel_read_system_state($1_xserver_t)
kernel_read_device_sysctl($1_xserver_t)
+ kernel_read_modprobe_sysctl($1_xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctl($1_xserver_t)
@@ -129,6 +130,8 @@ template(`xserver_common_domain_template',`
miscfiles_read_localization($1_xserver_t)
miscfiles_read_fonts($1_xserver_t)
+ modutils_domtrans_insmod($1_xserver_t)
+
seutil_dontaudit_search_config($1_xserver_t)
sysnet_read_config($1_xserver_t)
@@ -147,10 +150,6 @@ template(`xserver_common_domain_template',`
ifdef(`TODO',`
ifdef(`distro_redhat',`
- kernel_read_modprobe_sysctl($1_xserver_t)
-
- modutils_domtrans_insmod($1_xserver_t)
-
ifdef(`rpm.te', `
allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
allow $1_xserver_t rpm_tmpfs_t:file { read write };
@@ -430,8 +429,9 @@ template(`xserver_displaymgr_domain_template',`
allow $1_xserver_t $2:fd use;
allow $1_xserver_t $2:fifo_file rw_file_perms;
allow $1_xserver_t $2:process { signal sigchld };
+ allow $2 $1_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
- allow $2 $1_xserver_t:process signal;
+ allow $2 $1_xserver_tmp_t:file unlink;
allow $2 $1_xserver_tmp_t:dir r_dir_perms;
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
@@ -440,6 +440,11 @@ template(`xserver_displaymgr_domain_template',`
allow $2 $1_xserver_t:shm rw_shm_perms;
allow $1_xserver_t $2:shm rw_shm_perms;
+ # Run xkbcomp.
+ can_exec($1_xserver_t, xkb_var_lib_t)
+ allow $1_xserver_t xkb_var_lib_t:lnk_file read;
+ files_search_var_lib($1_xserver_t)
+
init_use_fd($1_xserver_t)
userdom_dontaudit_search_all_users_home($1_xserver_t)
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index c545ddb..1b291fc 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -28,3 +28,7 @@ files_type(xserver_exec_t)
# Type for the X server log file.
type xserver_log_t;
logging_log_file(xserver_log_t)
+
+optional_policy(`prelink',`
+ prelink_object_file(xkb_var_lib_t)
+')