diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index f797e16..c0ab5ae 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -232,6 +232,24 @@ interface(`mta_sendmail_mailserver',` ####################################### ## +## Allow the specified domain to use +## the sendmail program as an entrypoint. +## +## +## Domain allowed access. +## +# +# cjp: added for targeted sendmail (unconfined) +interface(`mta_sendmail_entry',` + gen_require(` + type sendmail_exec_t; + ') + + domain_entry_file($1,sendmail_exec_t) +') + +####################################### +## ## Make a type a mailserver type used ## for sending mail. ## diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 9f4448b..d9a269e 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -17,8 +17,7 @@ files_pid_file(sendmail_var_run_t) ifdef(`targeted_policy',` unconfined_alias_domain(sendmail_t) - type sendmail_exec_t; - domain_entry_file(sendmail_t,sendmail_exec_t) + mta_sendmail_entry(sendmail_t) ',` type sendmail_t; mta_sendmail_mailserver(sendmail_t) diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index 62fbe6f..b79bc2e 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -55,368 +55,366 @@ files_tmpfs_file(xdm_tmpfs_t) # Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid setsched setrlimit }; -allow xdm_t self:fifo_file rw_file_perms; -allow xdm_t self:shm create_shm_perms; -allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; - -allow xdm_t xdm_lock_t:file create_file_perms; -files_create_lock(xdm_t,xdm_lock_t) - -allow xdm_t xdm_tmp_t:dir create_dir_perms; -allow xdm_t xdm_tmp_t:file create_file_perms; -allow xdm_t xdm_tmp_t:file create_file_perms; -files_create_tmp_files(xdm_t, xdm_tmp_t, { file dir sock_file }) - -allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; -allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -fs_create_tmpfs_data(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -allow xdm_t xdm_var_lib_t:file create_file_perms; -allow xdm_t xdm_var_lib_t:dir create_dir_perms; -files_create_var_lib(xdm_t,xdm_var_lib_t) - -kernel_read_system_state(xdm_t) -kernel_read_kernel_sysctl(xdm_t) - -dev_read_rand(xdm_t) -dev_read_urand(xdm_t) - -selinux_get_fs_mount(xdm_t) -selinux_validate_context(xdm_t) -selinux_compute_access_vector(xdm_t) -selinux_compute_create_context(xdm_t) -selinux_compute_relabel_context(xdm_t) -selinux_compute_user_contexts(xdm_t) - -files_read_etc_runtime_files(xdm_t) - -ifdef(`targeted_policy',` - unconfined_domain_template(xdm_t) -') - -ifdef(`TODO',` -# cjp: TODO: integrate strict policy: -daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') - -allow xdm_t xdm_var_run_t:dir setattr; - -# for xdmctl -allow xdm_t xdm_var_run_t:fifo_file create_file_perms; -allow initrc_t xdm_var_run_t:fifo_file unlink; -file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) -file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) - -# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open -# handle of a file inside the dir!!! -allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; - -allow xdm_t default_context_t:dir search; -allow xdm_t default_context_t:{ file lnk_file } { read getattr }; - -can_network(xdm_t) -allow xdm_t port_type:tcp_socket name_connect; - -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:process signal; -can_unix_connect(xdm_t, xdm_xserver_t) -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; -allow xdm_xserver_t xdm_t:process signal; -# for reboot -allow xdm_t initctl_t:fifo_file write; - -# init script wants to check if it needs to update windowmanagerlist -allow initrc_t xdm_rw_etc_t:file { getattr read }; -ifdef(`distro_suse', ` -# set permissions on /tmp/.X11-unix -allow initrc_t xdm_tmp_t:dir setattr; +ifdef(`targeted_policy',`',` + allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; + allow xdm_t self:process { setexec setpgid setsched setrlimit }; + allow xdm_t self:fifo_file rw_file_perms; + allow xdm_t self:shm create_shm_perms; + allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow xdm_t self:unix_dgram_socket create_socket_perms; + + allow xdm_t xdm_lock_t:file create_file_perms; + files_create_lock(xdm_t,xdm_lock_t) + + allow xdm_t xdm_tmp_t:dir create_dir_perms; + allow xdm_t xdm_tmp_t:file create_file_perms; + allow xdm_t xdm_tmp_t:file create_file_perms; + files_create_tmp_files(xdm_t, xdm_tmp_t, { file dir sock_file }) + + allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + fs_create_tmpfs_data(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + allow xdm_t xdm_var_lib_t:file create_file_perms; + allow xdm_t xdm_var_lib_t:dir create_dir_perms; + files_create_var_lib(xdm_t,xdm_var_lib_t) + + kernel_read_system_state(xdm_t) + kernel_read_kernel_sysctl(xdm_t) + + dev_read_rand(xdm_t) + dev_read_urand(xdm_t) + + selinux_get_fs_mount(xdm_t) + selinux_validate_context(xdm_t) + selinux_compute_access_vector(xdm_t) + selinux_compute_create_context(xdm_t) + selinux_compute_relabel_context(xdm_t) + selinux_compute_user_contexts(xdm_t) + + files_read_etc_runtime_files(xdm_t) + + ifdef(`TODO',` + # cjp: TODO: integrate strict policy: + daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') + + allow xdm_t xdm_var_run_t:dir setattr; + + # for xdmctl + allow xdm_t xdm_var_run_t:fifo_file create_file_perms; + allow initrc_t xdm_var_run_t:fifo_file unlink; + file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) + file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) + + # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open + # handle of a file inside the dir!!! + allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; + dontaudit xdm_xserver_t xdm_var_lib_t:dir search; + allow xdm_xserver_t xdm_var_run_t:file { getattr read }; + + allow xdm_t default_context_t:dir search; + allow xdm_t default_context_t:{ file lnk_file } { read getattr }; + + can_network(xdm_t) + allow xdm_t port_type:tcp_socket name_connect; + + allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; + allow xdm_t xdm_xserver_t:process signal; + can_unix_connect(xdm_t, xdm_xserver_t) + allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; + allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; + allow xdm_xserver_t xdm_t:process signal; + # for reboot + allow xdm_t initctl_t:fifo_file write; + + # init script wants to check if it needs to update windowmanagerlist + allow initrc_t xdm_rw_etc_t:file { getattr read }; + ifdef(`distro_suse', ` + # set permissions on /tmp/.X11-unix + allow initrc_t xdm_tmp_t:dir setattr; + ') + + # Transition to user domains for user sessions. + domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) + allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; + allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; + allow unpriv_userdomain xdm_xserver_t:fd use; + allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; + allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; + allow xdm_xserver_t unpriv_userdomain:fd use; + + # Do not audit user access to the X log files due to file handle inheritance + dontaudit unpriv_userdomain xserver_log_t:file { write append }; + + # gnome-session creates socket under /tmp/.ICE-unix/ + allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; + allow unpriv_userdomain xdm_tmp_t:sock_file create; + + # Allow xdm logins as sysadm_r:sysadm_t + bool xdm_sysadm_login false; + if (xdm_sysadm_login) { + domain_trans(xdm_t, xsession_exec_t, sysadm_t) + allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; + allow sysadm_t xdm_xserver_t:shm r_shm_perms; + allow sysadm_t xdm_xserver_t:fd use; + allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; + allow xdm_xserver_t sysadm_t:shm rw_shm_perms; + allow xdm_xserver_t sysadm_t:fd use; + } + + # Label pid and temporary files with derived types. + rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) + allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; + + # Run helper programs. + allow xdm_t etc_t:file { getattr read }; + allow xdm_t bin_t:dir { getattr search }; + # lib_t is for running cpp + can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) + allow xdm_t { bin_t sbin_t }:lnk_file read; + ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') + ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') + allow xdm_t xdm_xserver_t:process sigkill; + allow xdm_t xdm_xserver_tmp_t:file unlink; + + # Access devices. + allow xdm_t device_t:dir { read search }; + allow xdm_t console_device_t:chr_file setattr; + allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; + allow xdm_t framebuf_device_t:chr_file { getattr setattr }; + allow xdm_t mouse_device_t:chr_file { getattr setattr }; + allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; + allow xdm_t dri_device_t:chr_file rw_file_perms; + allow xdm_t device_t:dir rw_dir_perms; + allow xdm_t agp_device_t:chr_file rw_file_perms; + allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; + allow xdm_t v4l_device_t:chr_file { setattr getattr }; + allow xdm_t scanner_device_t:chr_file { setattr getattr }; + allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; + allow xdm_t device_t:lnk_file read; + can_resmgrd_connect(xdm_t) + + # Access xdm log files. + file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) + allow xdm_t xserver_log_t:dir rw_dir_perms; + allow xdm_t xserver_log_t:dir setattr; + # Access /var/gdm/.gdmfifo. + allow xdm_t xserver_log_t:fifo_file create_file_perms; + + allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; + allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; + allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; + allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; + allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; + allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; + + # Remove /tmp/.X11-unix/X0. + allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; + allow xdm_t xdm_xserver_tmp_t:sock_file unlink; + + ifdef(`gpm.te', ` + # Talk to the console mouse server. + allow xdm_t gpmctl_t:sock_file { getattr setattr write }; + allow xdm_t gpm_t:unix_stream_socket connectto; + ') + + allow xdm_t sysfs_t:dir search; + + # Update utmp and wtmp. + allow xdm_t initrc_var_run_t: file { read write lock }; + allow xdm_t wtmp_t:file append; + + # Update lastlog. + allow xdm_t lastlog_t:file rw_file_perms; + + # Need to further investigate these permissions and + # perhaps define derived types. + allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; + allow xdm_t var_lib_t:file { create write unlink }; + + # Connect to xfs. + ifdef(`xfs.te', ` + allow xdm_t xfs_tmp_t:dir search; + allow xdm_t xfs_tmp_t:sock_file write; + can_unix_connect(xdm_t, xfs_t) + ') + + allow xdm_t etc_t:lnk_file read; + + # wdm has its own config dir /etc/X11/wdm + # this is ugly, daemons should not create files under /etc! + allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; + allow xdm_t xdm_rw_etc_t:file create_file_perms; + + # Signal any user domain. + allow xdm_t userdomain:process signal_perms; + + # Search /proc for any user domain processes. + allow xdm_t userdomain:dir r_dir_perms; + allow xdm_t userdomain:{ file lnk_file } r_file_perms; + + # Allow xdm access to the user domains + allow xdm_t home_root_t:dir search; + allow xdm_xserver_t home_root_t:dir search; + + # Do not audit denied attempts to access devices. + dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; + dontaudit xdm_t device_t:file_class_set rw_file_perms; + dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; + dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; + dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; + dontaudit xdm_t devpts_t:dir search; + + # Do not audit denied probes of /proc. + dontaudit xdm_t domain:dir r_dir_perms; + dontaudit xdm_t domain:{ file lnk_file } r_file_perms; + + # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... + allow xdm_t usr_t:{ lnk_file file } { getattr read }; + + # Read fonts + read_fonts(xdm_t) + + # Do not audit attempts to write to index files under /usr + dontaudit xdm_t usr_t:file write; + + # Do not audit access to /root + dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; + + # Do not audit user access to the X log files due to file handle inheritance + dontaudit unpriv_userdomain xserver_log_t:file { write append }; + + # Do not audit attempts to check whether user root has email + dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; + dontaudit xdm_t mail_spool_t:file getattr; + + # Access sound device. + allow xdm_t sound_device_t:chr_file { setattr getattr }; + + # Allow setting of attributes on power management devices. + allow xdm_t power_device_t:chr_file { getattr setattr }; + + # Run the X server in a derived domain. + xserver_domain(xdm) + + ifdef(`rhgb.te', ` + allow xdm_xserver_t ramfs_t:dir rw_dir_perms; + allow xdm_xserver_t ramfs_t:file create_file_perms; + allow rhgb_t xdm_xserver_t:process signal; + ') + + # Unrestricted inheritance. + allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; + + # Run xkbcomp. + allow xdm_xserver_t var_lib_t:dir search; + allow xdm_xserver_t xkb_var_lib_t:lnk_file read; + can_exec(xdm_xserver_t, xkb_var_lib_t) + + # Insert video drivers. + allow xdm_xserver_t self:capability mknod; + allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; + domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) + allow insmod_t xserver_log_t:file write; + allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; + + # Read /proc/dri/.* + allow xdm_xserver_t proc_t:dir { search read }; + + # Search /var/run. + allow xdm_xserver_t var_run_t:dir search; + + # FIXME: After per user fonts are properly working + # xdm_xserver_t may no longer have any reason + # to read ROLE_home_t - examine this in more detail + # (xauth?) + + # Search home directories. + allow xdm_xserver_t user_home_type:dir search; + allow xdm_xserver_t user_home_type:file { getattr read }; + + if (use_nfs_home_dirs) { + allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; + allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; + allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; + can_exec(xdm_t, nfs_t) + } + + if (use_samba_home_dirs) { + allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; + allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; + can_exec(xdm_t, cifs_t) + } + + # for .dmrc + allow xdm_t user_home_dir_type:dir { getattr search }; + allow xdm_t user_home_type:file { getattr read }; + + ifdef(`support_polyinstatiation', ` + # xdm_t can polyinstantiate + polyinstantiater(xdm_t) + # xdm needs access for linking .X11-unix to poly /tmp + allow xdm_t polymember:dir { add_name remove_name write }; + allow xdm_t polymember:lnk_file { create unlink }; + # xdm needs access for copying .Xauthority into new home + allow xdm_t polymember:file { create getattr write }; + ') + + allow xdm_t mnt_t:dir { getattr read search }; + # + # Wants to delete .xsession-errors file + # + allow xdm_t user_home_type:file unlink; + # + # Should fix exec of pam_timestamp_check is not closing xdm file descriptor + # + ifdef(`pam.te', ` + allow xdm_t pam_var_run_t:dir create_dir_perms; + allow xdm_t pam_var_run_t:file create_file_perms; + allow pam_t xdm_t:fifo_file { getattr ioctl write }; + domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) + can_exec(xdm_t, pam_exec_t) + # For pam_console + rw_dir_create_file(xdm_t, pam_var_console_t) + ') + + # Pamconsole/alsa + ifdef(`alsa.te', ` + domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) + ') dnl ifdef + + allow xdm_t var_log_t:file { getattr read }; + allow xdm_t wtmp_t:file { getattr read }; + + domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) + # + # Poweroff wants to create the /poweroff file when run from xdm + # + file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) + + # + # xdm tries to bind to biff_port_t + # + dontaudit xdm_t port_type:tcp_socket name_bind; + + # VNC v4 module in X server + allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; + ifdef(`crack.te', ` + allow xdm_t crack_db_t:file r_file_perms; + ') + r_dir_file(xdm_t, selinux_config_t) + + # Run telinit->init to shutdown. + can_exec(xdm_t, init_exec_t) + allow xdm_t self:sem create_sem_perms; + + # Allow gdm to run gdm-binary + can_exec(xdm_t, xdm_exec_t) + + # Supress permission check on .ICE-unix + dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; + ') dnl end TODO ') - -# Transition to user domains for user sessions. -domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) -allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; -allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; -allow unpriv_userdomain xdm_xserver_t:fd use; -allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; -allow xdm_xserver_t unpriv_userdomain:fd use; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# gnome-session creates socket under /tmp/.ICE-unix/ -allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; -allow unpriv_userdomain xdm_tmp_t:sock_file create; - -# Allow xdm logins as sysadm_r:sysadm_t -bool xdm_sysadm_login false; -if (xdm_sysadm_login) { -domain_trans(xdm_t, xsession_exec_t, sysadm_t) -allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; -allow sysadm_t xdm_xserver_t:shm r_shm_perms; -allow sysadm_t xdm_xserver_t:fd use; -allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t sysadm_t:shm rw_shm_perms; -allow xdm_xserver_t sysadm_t:fd use; -} - -# Label pid and temporary files with derived types. -rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) -allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; - -# Run helper programs. -allow xdm_t etc_t:file { getattr read }; -allow xdm_t bin_t:dir { getattr search }; -# lib_t is for running cpp -can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) -allow xdm_t { bin_t sbin_t }:lnk_file read; -ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') -ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') -allow xdm_t xdm_xserver_t:process sigkill; -allow xdm_t xdm_xserver_tmp_t:file unlink; - -# Access devices. -allow xdm_t device_t:dir { read search }; -allow xdm_t console_device_t:chr_file setattr; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -allow xdm_t framebuf_device_t:chr_file { getattr setattr }; -allow xdm_t mouse_device_t:chr_file { getattr setattr }; -allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; -allow xdm_t dri_device_t:chr_file rw_file_perms; -allow xdm_t device_t:dir rw_dir_perms; -allow xdm_t agp_device_t:chr_file rw_file_perms; -allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; -allow xdm_t v4l_device_t:chr_file { setattr getattr }; -allow xdm_t scanner_device_t:chr_file { setattr getattr }; -allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; -allow xdm_t device_t:lnk_file read; -can_resmgrd_connect(xdm_t) - -# Access xdm log files. -file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) -allow xdm_t xserver_log_t:dir rw_dir_perms; -allow xdm_t xserver_log_t:dir setattr; -# Access /var/gdm/.gdmfifo. -allow xdm_t xserver_log_t:fifo_file create_file_perms; - -allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; -allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; - -# Remove /tmp/.X11-unix/X0. -allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; -allow xdm_t xdm_xserver_tmp_t:sock_file unlink; - -ifdef(`gpm.te', ` -# Talk to the console mouse server. -allow xdm_t gpmctl_t:sock_file { getattr setattr write }; -allow xdm_t gpm_t:unix_stream_socket connectto; -') - -allow xdm_t sysfs_t:dir search; - -# Update utmp and wtmp. -allow xdm_t initrc_var_run_t: file { read write lock }; -allow xdm_t wtmp_t:file append; - -# Update lastlog. -allow xdm_t lastlog_t:file rw_file_perms; - -# Need to further investigate these permissions and -# perhaps define derived types. -allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; -allow xdm_t var_lib_t:file { create write unlink }; - -# Connect to xfs. -ifdef(`xfs.te', ` -allow xdm_t xfs_tmp_t:dir search; -allow xdm_t xfs_tmp_t:sock_file write; -can_unix_connect(xdm_t, xfs_t) -') - -allow xdm_t etc_t:lnk_file read; - -# wdm has its own config dir /etc/X11/wdm -# this is ugly, daemons should not create files under /etc! -allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; -allow xdm_t xdm_rw_etc_t:file create_file_perms; - -# Signal any user domain. -allow xdm_t userdomain:process signal_perms; - -# Search /proc for any user domain processes. -allow xdm_t userdomain:dir r_dir_perms; -allow xdm_t userdomain:{ file lnk_file } r_file_perms; - -# Allow xdm access to the user domains -allow xdm_t home_root_t:dir search; -allow xdm_xserver_t home_root_t:dir search; - -# Do not audit denied attempts to access devices. -dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; -dontaudit xdm_t device_t:file_class_set rw_file_perms; -dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; -dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; -dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; -dontaudit xdm_t devpts_t:dir search; - -# Do not audit denied probes of /proc. -dontaudit xdm_t domain:dir r_dir_perms; -dontaudit xdm_t domain:{ file lnk_file } r_file_perms; - -# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... -allow xdm_t usr_t:{ lnk_file file } { getattr read }; - -# Read fonts -read_fonts(xdm_t) - -# Do not audit attempts to write to index files under /usr -dontaudit xdm_t usr_t:file write; - -# Do not audit access to /root -dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# Do not audit attempts to check whether user root has email -dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; -dontaudit xdm_t mail_spool_t:file getattr; - -# Access sound device. -allow xdm_t sound_device_t:chr_file { setattr getattr }; - -# Allow setting of attributes on power management devices. -allow xdm_t power_device_t:chr_file { getattr setattr }; - -# Run the X server in a derived domain. -xserver_domain(xdm) - -ifdef(`rhgb.te', ` -allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file create_file_perms; -allow rhgb_t xdm_xserver_t:process signal; -') - -# Unrestricted inheritance. -allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; - -# Run xkbcomp. -allow xdm_xserver_t var_lib_t:dir search; -allow xdm_xserver_t xkb_var_lib_t:lnk_file read; -can_exec(xdm_xserver_t, xkb_var_lib_t) - -# Insert video drivers. -allow xdm_xserver_t self:capability mknod; -allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; -domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) -allow insmod_t xserver_log_t:file write; -allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; - -# Read /proc/dri/.* -allow xdm_xserver_t proc_t:dir { search read }; - -# Search /var/run. -allow xdm_xserver_t var_run_t:dir search; - -# FIXME: After per user fonts are properly working -# xdm_xserver_t may no longer have any reason -# to read ROLE_home_t - examine this in more detail -# (xauth?) - -# Search home directories. -allow xdm_xserver_t user_home_type:dir search; -allow xdm_xserver_t user_home_type:file { getattr read }; - -if (use_nfs_home_dirs) { -allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; -allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, nfs_t) -} - -if (use_samba_home_dirs) { -allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, cifs_t) -} - -# for .dmrc -allow xdm_t user_home_dir_type:dir { getattr search }; -allow xdm_t user_home_type:file { getattr read }; - -ifdef(`support_polyinstatiation', ` -# xdm_t can polyinstantiate -polyinstantiater(xdm_t) -# xdm needs access for linking .X11-unix to poly /tmp -allow xdm_t polymember:dir { add_name remove_name write }; -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -') - -allow xdm_t mnt_t:dir { getattr read search }; -# -# Wants to delete .xsession-errors file -# -allow xdm_t user_home_type:file unlink; -# -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor -# -ifdef(`pam.te', ` -allow xdm_t pam_var_run_t:dir create_dir_perms; -allow xdm_t pam_var_run_t:file create_file_perms; -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) -can_exec(xdm_t, pam_exec_t) -# For pam_console -rw_dir_create_file(xdm_t, pam_var_console_t) -') - -# Pamconsole/alsa -ifdef(`alsa.te', ` -domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) -') dnl ifdef - -allow xdm_t var_log_t:file { getattr read }; -allow xdm_t wtmp_t:file { getattr read }; - -domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) -# -# Poweroff wants to create the /poweroff file when run from xdm -# -file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) - -# -# xdm tries to bind to biff_port_t -# -dontaudit xdm_t port_type:tcp_socket name_bind; - -# VNC v4 module in X server -allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; -ifdef(`crack.te', ` -allow xdm_t crack_db_t:file r_file_perms; -') -r_dir_file(xdm_t, selinux_config_t) - -# Run telinit->init to shutdown. -can_exec(xdm_t, init_exec_t) -allow xdm_t self:sem create_sem_perms; - -# Allow gdm to run gdm-binary -can_exec(xdm_t, xdm_exec_t) - -# Supress permission check on .ICE-unix -dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; -') dnl end TODO