diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index d9a269e..8122a19 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -35,17 +35,6 @@ allow sendmail_t self:fifo_file rw_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; -allow sendmail_t sendmail_log_t:file create_file_perms; -allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; -logging_create_log(sendmail_t,sendmail_log_t,{ file dir }) - -allow sendmail_t sendmail_tmp_t:dir create_dir_perms; -allow sendmail_t sendmail_tmp_t:file create_file_perms; -files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir }) - -allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink }; -files_create_pid(sendmail_t,sendmail_var_run_t) - kernel_read_kernel_sysctl(sendmail_t) # for piping mail to a command kernel_read_system_state(sendmail_t) @@ -112,6 +101,17 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(sendmail_t) term_dontaudit_use_generic_pty(sendmail_t) files_dontaudit_read_root_file(sendmail_t) +',` + allow sendmail_t sendmail_log_t:file create_file_perms; + allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; + logging_create_log(sendmail_t,sendmail_log_t,{ file dir }) + + allow sendmail_t sendmail_tmp_t:dir create_dir_perms; + allow sendmail_t sendmail_tmp_t:file create_file_perms; + files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir }) + + allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink }; + files_create_pid(sendmail_t,sendmail_var_run_t) ') optional_policy(`nis.te',` diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index b79bc2e..ef63398 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -55,14 +55,31 @@ files_tmpfs_file(xdm_tmpfs_t) # Local policy # -ifdef(`targeted_policy',`',` - allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; - allow xdm_t self:process { setexec setpgid setsched setrlimit }; - allow xdm_t self:fifo_file rw_file_perms; - allow xdm_t self:shm create_shm_perms; - allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process { setexec setpgid setsched setrlimit }; +allow xdm_t self:fifo_file rw_file_perms; +allow xdm_t self:shm create_shm_perms; +allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow xdm_t self:unix_dgram_socket create_socket_perms; +kernel_read_system_state(xdm_t) +kernel_read_kernel_sysctl(xdm_t) + +dev_read_rand(xdm_t) +dev_read_urand(xdm_t) + +selinux_get_fs_mount(xdm_t) +selinux_validate_context(xdm_t) +selinux_compute_access_vector(xdm_t) +selinux_compute_create_context(xdm_t) +selinux_compute_relabel_context(xdm_t) +selinux_compute_user_contexts(xdm_t) + +files_read_etc_runtime_files(xdm_t) + +ifdef(`targeted_policy',` + unconfined_domain_template(xdm_t) +',` allow xdm_t xdm_lock_t:file create_file_perms; files_create_lock(xdm_t,xdm_lock_t) @@ -81,340 +98,325 @@ ifdef(`targeted_policy',`',` allow xdm_t xdm_var_lib_t:file create_file_perms; allow xdm_t xdm_var_lib_t:dir create_dir_perms; files_create_var_lib(xdm_t,xdm_var_lib_t) +') + +ifdef(`TODO',` +# cjp: TODO: integrate strict policy: +daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') + +allow xdm_t xdm_var_run_t:dir setattr; + +# for xdmctl +allow xdm_t xdm_var_run_t:fifo_file create_file_perms; +allow initrc_t xdm_var_run_t:fifo_file unlink; +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) + +# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open +# handle of a file inside the dir!!! +allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; +dontaudit xdm_xserver_t xdm_var_lib_t:dir search; +allow xdm_xserver_t xdm_var_run_t:file { getattr read }; + +allow xdm_t default_context_t:dir search; +allow xdm_t default_context_t:{ file lnk_file } { read getattr }; + +can_network(xdm_t) +allow xdm_t port_type:tcp_socket name_connect; + +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_t xdm_xserver_t:process signal; +can_unix_connect(xdm_t, xdm_xserver_t) +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; +allow xdm_xserver_t xdm_t:process signal; +# for reboot +allow xdm_t initctl_t:fifo_file write; + +# init script wants to check if it needs to update windowmanagerlist +allow initrc_t xdm_rw_etc_t:file { getattr read }; +ifdef(`distro_suse', ` +# set permissions on /tmp/.X11-unix +allow initrc_t xdm_tmp_t:dir setattr; +') + +# Transition to user domains for user sessions. +domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) +allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; +allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; +allow unpriv_userdomain xdm_xserver_t:fd use; +allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; +allow xdm_xserver_t unpriv_userdomain:fd use; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# gnome-session creates socket under /tmp/.ICE-unix/ +allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; +allow unpriv_userdomain xdm_tmp_t:sock_file create; + +# Allow xdm logins as sysadm_r:sysadm_t +bool xdm_sysadm_login false; +if (xdm_sysadm_login) { +domain_trans(xdm_t, xsession_exec_t, sysadm_t) +allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; +allow sysadm_t xdm_xserver_t:shm r_shm_perms; +allow sysadm_t xdm_xserver_t:fd use; +allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t sysadm_t:shm rw_shm_perms; +allow xdm_xserver_t sysadm_t:fd use; +} + +# Label pid and temporary files with derived types. +rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) +allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; + +# Run helper programs. +allow xdm_t etc_t:file { getattr read }; +allow xdm_t bin_t:dir { getattr search }; +# lib_t is for running cpp +can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) +allow xdm_t { bin_t sbin_t }:lnk_file read; +ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') +ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') +allow xdm_t xdm_xserver_t:process sigkill; +allow xdm_t xdm_xserver_tmp_t:file unlink; + +# Access devices. +allow xdm_t device_t:dir { read search }; +allow xdm_t console_device_t:chr_file setattr; +allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t framebuf_device_t:chr_file { getattr setattr }; +allow xdm_t mouse_device_t:chr_file { getattr setattr }; +allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; +allow xdm_t dri_device_t:chr_file rw_file_perms; +allow xdm_t device_t:dir rw_dir_perms; +allow xdm_t agp_device_t:chr_file rw_file_perms; +allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; +allow xdm_t v4l_device_t:chr_file { setattr getattr }; +allow xdm_t scanner_device_t:chr_file { setattr getattr }; +allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; +allow xdm_t device_t:lnk_file read; +can_resmgrd_connect(xdm_t) + +# Access xdm log files. +file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) +allow xdm_t xserver_log_t:dir rw_dir_perms; +allow xdm_t xserver_log_t:dir setattr; +# Access /var/gdm/.gdmfifo. +allow xdm_t xserver_log_t:fifo_file create_file_perms; + +allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; +allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; + +# Remove /tmp/.X11-unix/X0. +allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; +allow xdm_t xdm_xserver_tmp_t:sock_file unlink; + +ifdef(`gpm.te', ` +# Talk to the console mouse server. +allow xdm_t gpmctl_t:sock_file { getattr setattr write }; +allow xdm_t gpm_t:unix_stream_socket connectto; +') + +allow xdm_t sysfs_t:dir search; + +# Update utmp and wtmp. +allow xdm_t initrc_var_run_t: file { read write lock }; +allow xdm_t wtmp_t:file append; + +# Update lastlog. +allow xdm_t lastlog_t:file rw_file_perms; + +# Need to further investigate these permissions and +# perhaps define derived types. +allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; +allow xdm_t var_lib_t:file { create write unlink }; + +# Connect to xfs. +ifdef(`xfs.te', ` +allow xdm_t xfs_tmp_t:dir search; +allow xdm_t xfs_tmp_t:sock_file write; +can_unix_connect(xdm_t, xfs_t) +') + +allow xdm_t etc_t:lnk_file read; + +# wdm has its own config dir /etc/X11/wdm +# this is ugly, daemons should not create files under /etc! +allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; +allow xdm_t xdm_rw_etc_t:file create_file_perms; + +# Signal any user domain. +allow xdm_t userdomain:process signal_perms; + +# Search /proc for any user domain processes. +allow xdm_t userdomain:dir r_dir_perms; +allow xdm_t userdomain:{ file lnk_file } r_file_perms; + +# Allow xdm access to the user domains +allow xdm_t home_root_t:dir search; +allow xdm_xserver_t home_root_t:dir search; + +# Do not audit denied attempts to access devices. +dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; +dontaudit xdm_t device_t:file_class_set rw_file_perms; +dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; +dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; +dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; +dontaudit xdm_t devpts_t:dir search; + +# Do not audit denied probes of /proc. +dontaudit xdm_t domain:dir r_dir_perms; +dontaudit xdm_t domain:{ file lnk_file } r_file_perms; + +# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... +allow xdm_t usr_t:{ lnk_file file } { getattr read }; + +# Read fonts +read_fonts(xdm_t) + +# Do not audit attempts to write to index files under /usr +dontaudit xdm_t usr_t:file write; - kernel_read_system_state(xdm_t) - kernel_read_kernel_sysctl(xdm_t) - - dev_read_rand(xdm_t) - dev_read_urand(xdm_t) - - selinux_get_fs_mount(xdm_t) - selinux_validate_context(xdm_t) - selinux_compute_access_vector(xdm_t) - selinux_compute_create_context(xdm_t) - selinux_compute_relabel_context(xdm_t) - selinux_compute_user_contexts(xdm_t) - - files_read_etc_runtime_files(xdm_t) - - ifdef(`TODO',` - # cjp: TODO: integrate strict policy: - daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') - - allow xdm_t xdm_var_run_t:dir setattr; - - # for xdmctl - allow xdm_t xdm_var_run_t:fifo_file create_file_perms; - allow initrc_t xdm_var_run_t:fifo_file unlink; - file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) - file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) - - # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open - # handle of a file inside the dir!!! - allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; - dontaudit xdm_xserver_t xdm_var_lib_t:dir search; - allow xdm_xserver_t xdm_var_run_t:file { getattr read }; - - allow xdm_t default_context_t:dir search; - allow xdm_t default_context_t:{ file lnk_file } { read getattr }; - - can_network(xdm_t) - allow xdm_t port_type:tcp_socket name_connect; - - allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; - allow xdm_t xdm_xserver_t:process signal; - can_unix_connect(xdm_t, xdm_xserver_t) - allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; - allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; - allow xdm_xserver_t xdm_t:process signal; - # for reboot - allow xdm_t initctl_t:fifo_file write; - - # init script wants to check if it needs to update windowmanagerlist - allow initrc_t xdm_rw_etc_t:file { getattr read }; - ifdef(`distro_suse', ` - # set permissions on /tmp/.X11-unix - allow initrc_t xdm_tmp_t:dir setattr; - ') - - # Transition to user domains for user sessions. - domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) - allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; - allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; - allow unpriv_userdomain xdm_xserver_t:fd use; - allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; - allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; - allow xdm_xserver_t unpriv_userdomain:fd use; - - # Do not audit user access to the X log files due to file handle inheritance - dontaudit unpriv_userdomain xserver_log_t:file { write append }; - - # gnome-session creates socket under /tmp/.ICE-unix/ - allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; - allow unpriv_userdomain xdm_tmp_t:sock_file create; - - # Allow xdm logins as sysadm_r:sysadm_t - bool xdm_sysadm_login false; - if (xdm_sysadm_login) { - domain_trans(xdm_t, xsession_exec_t, sysadm_t) - allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; - allow sysadm_t xdm_xserver_t:shm r_shm_perms; - allow sysadm_t xdm_xserver_t:fd use; - allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; - allow xdm_xserver_t sysadm_t:shm rw_shm_perms; - allow xdm_xserver_t sysadm_t:fd use; - } - - # Label pid and temporary files with derived types. - rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) - allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; - - # Run helper programs. - allow xdm_t etc_t:file { getattr read }; - allow xdm_t bin_t:dir { getattr search }; - # lib_t is for running cpp - can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) - allow xdm_t { bin_t sbin_t }:lnk_file read; - ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') - ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') - allow xdm_t xdm_xserver_t:process sigkill; - allow xdm_t xdm_xserver_tmp_t:file unlink; - - # Access devices. - allow xdm_t device_t:dir { read search }; - allow xdm_t console_device_t:chr_file setattr; - allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; - allow xdm_t framebuf_device_t:chr_file { getattr setattr }; - allow xdm_t mouse_device_t:chr_file { getattr setattr }; - allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; - allow xdm_t dri_device_t:chr_file rw_file_perms; - allow xdm_t device_t:dir rw_dir_perms; - allow xdm_t agp_device_t:chr_file rw_file_perms; - allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; - allow xdm_t v4l_device_t:chr_file { setattr getattr }; - allow xdm_t scanner_device_t:chr_file { setattr getattr }; - allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; - allow xdm_t device_t:lnk_file read; - can_resmgrd_connect(xdm_t) - - # Access xdm log files. - file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) - allow xdm_t xserver_log_t:dir rw_dir_perms; - allow xdm_t xserver_log_t:dir setattr; - # Access /var/gdm/.gdmfifo. - allow xdm_t xserver_log_t:fifo_file create_file_perms; - - allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; - allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; - allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; - allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; - allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; - allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; - - # Remove /tmp/.X11-unix/X0. - allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; - allow xdm_t xdm_xserver_tmp_t:sock_file unlink; - - ifdef(`gpm.te', ` - # Talk to the console mouse server. - allow xdm_t gpmctl_t:sock_file { getattr setattr write }; - allow xdm_t gpm_t:unix_stream_socket connectto; - ') - - allow xdm_t sysfs_t:dir search; - - # Update utmp and wtmp. - allow xdm_t initrc_var_run_t: file { read write lock }; - allow xdm_t wtmp_t:file append; - - # Update lastlog. - allow xdm_t lastlog_t:file rw_file_perms; - - # Need to further investigate these permissions and - # perhaps define derived types. - allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; - allow xdm_t var_lib_t:file { create write unlink }; - - # Connect to xfs. - ifdef(`xfs.te', ` - allow xdm_t xfs_tmp_t:dir search; - allow xdm_t xfs_tmp_t:sock_file write; - can_unix_connect(xdm_t, xfs_t) - ') - - allow xdm_t etc_t:lnk_file read; - - # wdm has its own config dir /etc/X11/wdm - # this is ugly, daemons should not create files under /etc! - allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; - allow xdm_t xdm_rw_etc_t:file create_file_perms; - - # Signal any user domain. - allow xdm_t userdomain:process signal_perms; - - # Search /proc for any user domain processes. - allow xdm_t userdomain:dir r_dir_perms; - allow xdm_t userdomain:{ file lnk_file } r_file_perms; - - # Allow xdm access to the user domains - allow xdm_t home_root_t:dir search; - allow xdm_xserver_t home_root_t:dir search; - - # Do not audit denied attempts to access devices. - dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; - dontaudit xdm_t device_t:file_class_set rw_file_perms; - dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; - dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; - dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; - dontaudit xdm_t devpts_t:dir search; - - # Do not audit denied probes of /proc. - dontaudit xdm_t domain:dir r_dir_perms; - dontaudit xdm_t domain:{ file lnk_file } r_file_perms; - - # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... - allow xdm_t usr_t:{ lnk_file file } { getattr read }; - - # Read fonts - read_fonts(xdm_t) - - # Do not audit attempts to write to index files under /usr - dontaudit xdm_t usr_t:file write; - - # Do not audit access to /root - dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; - - # Do not audit user access to the X log files due to file handle inheritance - dontaudit unpriv_userdomain xserver_log_t:file { write append }; - - # Do not audit attempts to check whether user root has email - dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; - dontaudit xdm_t mail_spool_t:file getattr; - - # Access sound device. - allow xdm_t sound_device_t:chr_file { setattr getattr }; - - # Allow setting of attributes on power management devices. - allow xdm_t power_device_t:chr_file { getattr setattr }; - - # Run the X server in a derived domain. - xserver_domain(xdm) - - ifdef(`rhgb.te', ` - allow xdm_xserver_t ramfs_t:dir rw_dir_perms; - allow xdm_xserver_t ramfs_t:file create_file_perms; - allow rhgb_t xdm_xserver_t:process signal; - ') - - # Unrestricted inheritance. - allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; - - # Run xkbcomp. - allow xdm_xserver_t var_lib_t:dir search; - allow xdm_xserver_t xkb_var_lib_t:lnk_file read; - can_exec(xdm_xserver_t, xkb_var_lib_t) - - # Insert video drivers. - allow xdm_xserver_t self:capability mknod; - allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; - domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) - allow insmod_t xserver_log_t:file write; - allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; - - # Read /proc/dri/.* - allow xdm_xserver_t proc_t:dir { search read }; - - # Search /var/run. - allow xdm_xserver_t var_run_t:dir search; - - # FIXME: After per user fonts are properly working - # xdm_xserver_t may no longer have any reason - # to read ROLE_home_t - examine this in more detail - # (xauth?) - - # Search home directories. - allow xdm_xserver_t user_home_type:dir search; - allow xdm_xserver_t user_home_type:file { getattr read }; - - if (use_nfs_home_dirs) { - allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; - allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; - allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; - can_exec(xdm_t, nfs_t) - } - - if (use_samba_home_dirs) { - allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; - allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; - can_exec(xdm_t, cifs_t) - } - - # for .dmrc - allow xdm_t user_home_dir_type:dir { getattr search }; - allow xdm_t user_home_type:file { getattr read }; - - ifdef(`support_polyinstatiation', ` - # xdm_t can polyinstantiate - polyinstantiater(xdm_t) - # xdm needs access for linking .X11-unix to poly /tmp - allow xdm_t polymember:dir { add_name remove_name write }; - allow xdm_t polymember:lnk_file { create unlink }; - # xdm needs access for copying .Xauthority into new home - allow xdm_t polymember:file { create getattr write }; - ') - - allow xdm_t mnt_t:dir { getattr read search }; - # - # Wants to delete .xsession-errors file - # - allow xdm_t user_home_type:file unlink; - # - # Should fix exec of pam_timestamp_check is not closing xdm file descriptor - # - ifdef(`pam.te', ` - allow xdm_t pam_var_run_t:dir create_dir_perms; - allow xdm_t pam_var_run_t:file create_file_perms; - allow pam_t xdm_t:fifo_file { getattr ioctl write }; - domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) - can_exec(xdm_t, pam_exec_t) - # For pam_console - rw_dir_create_file(xdm_t, pam_var_console_t) - ') - - # Pamconsole/alsa - ifdef(`alsa.te', ` - domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) - ') dnl ifdef - - allow xdm_t var_log_t:file { getattr read }; - allow xdm_t wtmp_t:file { getattr read }; - - domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) - # - # Poweroff wants to create the /poweroff file when run from xdm - # - file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) - - # - # xdm tries to bind to biff_port_t - # - dontaudit xdm_t port_type:tcp_socket name_bind; - - # VNC v4 module in X server - allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; - ifdef(`crack.te', ` - allow xdm_t crack_db_t:file r_file_perms; - ') - r_dir_file(xdm_t, selinux_config_t) - - # Run telinit->init to shutdown. - can_exec(xdm_t, init_exec_t) - allow xdm_t self:sem create_sem_perms; - - # Allow gdm to run gdm-binary - can_exec(xdm_t, xdm_exec_t) - - # Supress permission check on .ICE-unix - dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; - ') dnl end TODO +# Do not audit access to /root +dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# Do not audit attempts to check whether user root has email +dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; +dontaudit xdm_t mail_spool_t:file getattr; + +# Access sound device. +allow xdm_t sound_device_t:chr_file { setattr getattr }; + +# Allow setting of attributes on power management devices. +allow xdm_t power_device_t:chr_file { getattr setattr }; + +# Run the X server in a derived domain. +xserver_domain(xdm) + +ifdef(`rhgb.te', ` +allow xdm_xserver_t ramfs_t:dir rw_dir_perms; +allow xdm_xserver_t ramfs_t:file create_file_perms; +allow rhgb_t xdm_xserver_t:process signal; +') + +# Unrestricted inheritance. +allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; + +# Run xkbcomp. +allow xdm_xserver_t var_lib_t:dir search; +allow xdm_xserver_t xkb_var_lib_t:lnk_file read; +can_exec(xdm_xserver_t, xkb_var_lib_t) + +# Insert video drivers. +allow xdm_xserver_t self:capability mknod; +allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; +domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) +allow insmod_t xserver_log_t:file write; +allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; + +# Read /proc/dri/.* +allow xdm_xserver_t proc_t:dir { search read }; + +# Search /var/run. +allow xdm_xserver_t var_run_t:dir search; + +# FIXME: After per user fonts are properly working +# xdm_xserver_t may no longer have any reason +# to read ROLE_home_t - examine this in more detail +# (xauth?) + +# Search home directories. +allow xdm_xserver_t user_home_type:dir search; +allow xdm_xserver_t user_home_type:file { getattr read }; + +if (use_nfs_home_dirs) { +allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; +allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, nfs_t) +} + +if (use_samba_home_dirs) { +allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, cifs_t) +} + +# for .dmrc +allow xdm_t user_home_dir_type:dir { getattr search }; +allow xdm_t user_home_type:file { getattr read }; + +ifdef(`support_polyinstatiation', ` +# xdm_t can polyinstantiate +polyinstantiater(xdm_t) +# xdm needs access for linking .X11-unix to poly /tmp +allow xdm_t polymember:dir { add_name remove_name write }; +allow xdm_t polymember:lnk_file { create unlink }; +# xdm needs access for copying .Xauthority into new home +allow xdm_t polymember:file { create getattr write }; +') + +allow xdm_t mnt_t:dir { getattr read search }; +# +# Wants to delete .xsession-errors file +# +allow xdm_t user_home_type:file unlink; +# +# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# +ifdef(`pam.te', ` +allow xdm_t pam_var_run_t:dir create_dir_perms; +allow xdm_t pam_var_run_t:file create_file_perms; +allow pam_t xdm_t:fifo_file { getattr ioctl write }; +domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) +can_exec(xdm_t, pam_exec_t) +# For pam_console +rw_dir_create_file(xdm_t, pam_var_console_t) ') + +# Pamconsole/alsa +ifdef(`alsa.te', ` +domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) +') dnl ifdef + +allow xdm_t var_log_t:file { getattr read }; +allow xdm_t wtmp_t:file { getattr read }; + +domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) +# +# Poweroff wants to create the /poweroff file when run from xdm +# +file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) + +# +# xdm tries to bind to biff_port_t +# +dontaudit xdm_t port_type:tcp_socket name_bind; + +# VNC v4 module in X server +allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; +ifdef(`crack.te', ` +allow xdm_t crack_db_t:file r_file_perms; +') +r_dir_file(xdm_t, selinux_config_t) + +# Run telinit->init to shutdown. +can_exec(xdm_t, init_exec_t) +allow xdm_t self:sem create_sem_perms; + +# Allow gdm to run gdm-binary +can_exec(xdm_t, xdm_exec_t) + +# Supress permission check on .ICE-unix +dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; +') dnl end TODO