[selinux-policy: 893/3172] nicer te_trans conflict fix
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:22:14 UTC 2010
commit f3936d3876f9a7550814c266fb23fa72f8e638cb
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 28 19:18:50 2005 +0000
nicer te_trans conflict fix
refpolicy/policy/modules/services/sendmail.te | 22 +-
refpolicy/policy/modules/services/xdm.te | 686 +++++++++++++------------
2 files changed, 355 insertions(+), 353 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index d9a269e..8122a19 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -35,17 +35,6 @@ allow sendmail_t self:fifo_file rw_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
-allow sendmail_t sendmail_log_t:file create_file_perms;
-allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
-
-allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
-allow sendmail_t sendmail_tmp_t:file create_file_perms;
-files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
-
-allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
-files_create_pid(sendmail_t,sendmail_var_run_t)
-
kernel_read_kernel_sysctl(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
@@ -112,6 +101,17 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(sendmail_t)
term_dontaudit_use_generic_pty(sendmail_t)
files_dontaudit_read_root_file(sendmail_t)
+',`
+ allow sendmail_t sendmail_log_t:file create_file_perms;
+ allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
+ logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
+
+ allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
+ allow sendmail_t sendmail_tmp_t:file create_file_perms;
+ files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
+
+ allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
+ files_create_pid(sendmail_t,sendmail_var_run_t)
')
optional_policy(`nis.te',`
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index b79bc2e..ef63398 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -55,14 +55,31 @@ files_tmpfs_file(xdm_tmpfs_t)
# Local policy
#
-ifdef(`targeted_policy',`',`
- allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
- allow xdm_t self:process { setexec setpgid setsched setrlimit };
- allow xdm_t self:fifo_file rw_file_perms;
- allow xdm_t self:shm create_shm_perms;
- allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid setsched setrlimit };
+allow xdm_t self:fifo_file rw_file_perms;
+allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+kernel_read_system_state(xdm_t)
+kernel_read_kernel_sysctl(xdm_t)
+
+dev_read_rand(xdm_t)
+dev_read_urand(xdm_t)
+
+selinux_get_fs_mount(xdm_t)
+selinux_validate_context(xdm_t)
+selinux_compute_access_vector(xdm_t)
+selinux_compute_create_context(xdm_t)
+selinux_compute_relabel_context(xdm_t)
+selinux_compute_user_contexts(xdm_t)
+
+files_read_etc_runtime_files(xdm_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain_template(xdm_t)
+',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_create_lock(xdm_t,xdm_lock_t)
@@ -81,340 +98,325 @@ ifdef(`targeted_policy',`',`
allow xdm_t xdm_var_lib_t:file create_file_perms;
allow xdm_t xdm_var_lib_t:dir create_dir_perms;
files_create_var_lib(xdm_t,xdm_var_lib_t)
+')
+
+ifdef(`TODO',`
+# cjp: TODO: integrate strict policy:
+daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
+
+allow xdm_t xdm_var_run_t:dir setattr;
+
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+allow initrc_t xdm_var_run_t:fifo_file unlink;
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
+
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+
+allow xdm_t default_context_t:dir search;
+allow xdm_t default_context_t:{ file lnk_file } { read getattr };
+
+can_network(xdm_t)
+allow xdm_t port_type:tcp_socket name_connect;
+
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_t xdm_xserver_t:process signal;
+can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+allow xdm_xserver_t xdm_t:process signal;
+# for reboot
+allow xdm_t initctl_t:fifo_file write;
+
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t xdm_rw_etc_t:file { getattr read };
+ifdef(`distro_suse', `
+# set permissions on /tmp/.X11-unix
+allow initrc_t xdm_tmp_t:dir setattr;
+')
+
+# Transition to user domains for user sessions.
+domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
+allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
+allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
+allow unpriv_userdomain xdm_xserver_t:fd use;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
+allow xdm_xserver_t unpriv_userdomain:fd use;
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# gnome-session creates socket under /tmp/.ICE-unix/
+allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
+allow unpriv_userdomain xdm_tmp_t:sock_file create;
+
+# Allow xdm logins as sysadm_r:sysadm_t
+bool xdm_sysadm_login false;
+if (xdm_sysadm_login) {
+domain_trans(xdm_t, xsession_exec_t, sysadm_t)
+allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
+allow sysadm_t xdm_xserver_t:shm r_shm_perms;
+allow sysadm_t xdm_xserver_t:fd use;
+allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
+allow xdm_xserver_t sysadm_t:fd use;
+}
+
+# Label pid and temporary files with derived types.
+rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
+allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
+
+# Run helper programs.
+allow xdm_t etc_t:file { getattr read };
+allow xdm_t bin_t:dir { getattr search };
+# lib_t is for running cpp
+can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
+allow xdm_t { bin_t sbin_t }:lnk_file read;
+ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
+ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
+allow xdm_t xdm_xserver_t:process sigkill;
+allow xdm_t xdm_xserver_tmp_t:file unlink;
+
+# Access devices.
+allow xdm_t device_t:dir { read search };
+allow xdm_t console_device_t:chr_file setattr;
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t framebuf_device_t:chr_file { getattr setattr };
+allow xdm_t mouse_device_t:chr_file { getattr setattr };
+allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
+allow xdm_t dri_device_t:chr_file rw_file_perms;
+allow xdm_t device_t:dir rw_dir_perms;
+allow xdm_t agp_device_t:chr_file rw_file_perms;
+allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
+allow xdm_t v4l_device_t:chr_file { setattr getattr };
+allow xdm_t scanner_device_t:chr_file { setattr getattr };
+allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
+allow xdm_t device_t:lnk_file read;
+can_resmgrd_connect(xdm_t)
+
+# Access xdm log files.
+file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
+allow xdm_t xserver_log_t:dir rw_dir_perms;
+allow xdm_t xserver_log_t:dir setattr;
+# Access /var/gdm/.gdmfifo.
+allow xdm_t xserver_log_t:fifo_file create_file_perms;
+
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
+
+# Remove /tmp/.X11-unix/X0.
+allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
+allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
+
+ifdef(`gpm.te', `
+# Talk to the console mouse server.
+allow xdm_t gpmctl_t:sock_file { getattr setattr write };
+allow xdm_t gpm_t:unix_stream_socket connectto;
+')
+
+allow xdm_t sysfs_t:dir search;
+
+# Update utmp and wtmp.
+allow xdm_t initrc_var_run_t: file { read write lock };
+allow xdm_t wtmp_t:file append;
+
+# Update lastlog.
+allow xdm_t lastlog_t:file rw_file_perms;
+
+# Need to further investigate these permissions and
+# perhaps define derived types.
+allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
+allow xdm_t var_lib_t:file { create write unlink };
+
+# Connect to xfs.
+ifdef(`xfs.te', `
+allow xdm_t xfs_tmp_t:dir search;
+allow xdm_t xfs_tmp_t:sock_file write;
+can_unix_connect(xdm_t, xfs_t)
+')
+
+allow xdm_t etc_t:lnk_file read;
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+# Signal any user domain.
+allow xdm_t userdomain:process signal_perms;
+
+# Search /proc for any user domain processes.
+allow xdm_t userdomain:dir r_dir_perms;
+allow xdm_t userdomain:{ file lnk_file } r_file_perms;
+
+# Allow xdm access to the user domains
+allow xdm_t home_root_t:dir search;
+allow xdm_xserver_t home_root_t:dir search;
+
+# Do not audit denied attempts to access devices.
+dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
+dontaudit xdm_t device_t:file_class_set rw_file_perms;
+dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir search;
+
+# Do not audit denied probes of /proc.
+dontaudit xdm_t domain:dir r_dir_perms;
+dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
+
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+allow xdm_t usr_t:{ lnk_file file } { getattr read };
+
+# Read fonts
+read_fonts(xdm_t)
+
+# Do not audit attempts to write to index files under /usr
+dontaudit xdm_t usr_t:file write;
- kernel_read_system_state(xdm_t)
- kernel_read_kernel_sysctl(xdm_t)
-
- dev_read_rand(xdm_t)
- dev_read_urand(xdm_t)
-
- selinux_get_fs_mount(xdm_t)
- selinux_validate_context(xdm_t)
- selinux_compute_access_vector(xdm_t)
- selinux_compute_create_context(xdm_t)
- selinux_compute_relabel_context(xdm_t)
- selinux_compute_user_contexts(xdm_t)
-
- files_read_etc_runtime_files(xdm_t)
-
- ifdef(`TODO',`
- # cjp: TODO: integrate strict policy:
- daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
-
- allow xdm_t xdm_var_run_t:dir setattr;
-
- # for xdmctl
- allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
- allow initrc_t xdm_var_run_t:fifo_file unlink;
- file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
- file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
-
- # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
- # handle of a file inside the dir!!!
- allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
- dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
- allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-
- allow xdm_t default_context_t:dir search;
- allow xdm_t default_context_t:{ file lnk_file } { read getattr };
-
- can_network(xdm_t)
- allow xdm_t port_type:tcp_socket name_connect;
-
- allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
- allow xdm_t xdm_xserver_t:process signal;
- can_unix_connect(xdm_t, xdm_xserver_t)
- allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
- allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
- allow xdm_xserver_t xdm_t:process signal;
- # for reboot
- allow xdm_t initctl_t:fifo_file write;
-
- # init script wants to check if it needs to update windowmanagerlist
- allow initrc_t xdm_rw_etc_t:file { getattr read };
- ifdef(`distro_suse', `
- # set permissions on /tmp/.X11-unix
- allow initrc_t xdm_tmp_t:dir setattr;
- ')
-
- # Transition to user domains for user sessions.
- domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
- allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
- allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
- allow unpriv_userdomain xdm_xserver_t:fd use;
- allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
- allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
- allow xdm_xserver_t unpriv_userdomain:fd use;
-
- # Do not audit user access to the X log files due to file handle inheritance
- dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
- # gnome-session creates socket under /tmp/.ICE-unix/
- allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
- allow unpriv_userdomain xdm_tmp_t:sock_file create;
-
- # Allow xdm logins as sysadm_r:sysadm_t
- bool xdm_sysadm_login false;
- if (xdm_sysadm_login) {
- domain_trans(xdm_t, xsession_exec_t, sysadm_t)
- allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
- allow sysadm_t xdm_xserver_t:shm r_shm_perms;
- allow sysadm_t xdm_xserver_t:fd use;
- allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
- allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
- allow xdm_xserver_t sysadm_t:fd use;
- }
-
- # Label pid and temporary files with derived types.
- rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
- allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
-
- # Run helper programs.
- allow xdm_t etc_t:file { getattr read };
- allow xdm_t bin_t:dir { getattr search };
- # lib_t is for running cpp
- can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
- allow xdm_t { bin_t sbin_t }:lnk_file read;
- ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
- ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
- allow xdm_t xdm_xserver_t:process sigkill;
- allow xdm_t xdm_xserver_tmp_t:file unlink;
-
- # Access devices.
- allow xdm_t device_t:dir { read search };
- allow xdm_t console_device_t:chr_file setattr;
- allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
- allow xdm_t framebuf_device_t:chr_file { getattr setattr };
- allow xdm_t mouse_device_t:chr_file { getattr setattr };
- allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
- allow xdm_t dri_device_t:chr_file rw_file_perms;
- allow xdm_t device_t:dir rw_dir_perms;
- allow xdm_t agp_device_t:chr_file rw_file_perms;
- allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
- allow xdm_t v4l_device_t:chr_file { setattr getattr };
- allow xdm_t scanner_device_t:chr_file { setattr getattr };
- allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
- allow xdm_t device_t:lnk_file read;
- can_resmgrd_connect(xdm_t)
-
- # Access xdm log files.
- file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
- allow xdm_t xserver_log_t:dir rw_dir_perms;
- allow xdm_t xserver_log_t:dir setattr;
- # Access /var/gdm/.gdmfifo.
- allow xdm_t xserver_log_t:fifo_file create_file_perms;
-
- allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
- allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
- allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
- allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
- allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
- allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
-
- # Remove /tmp/.X11-unix/X0.
- allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
- allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
-
- ifdef(`gpm.te', `
- # Talk to the console mouse server.
- allow xdm_t gpmctl_t:sock_file { getattr setattr write };
- allow xdm_t gpm_t:unix_stream_socket connectto;
- ')
-
- allow xdm_t sysfs_t:dir search;
-
- # Update utmp and wtmp.
- allow xdm_t initrc_var_run_t: file { read write lock };
- allow xdm_t wtmp_t:file append;
-
- # Update lastlog.
- allow xdm_t lastlog_t:file rw_file_perms;
-
- # Need to further investigate these permissions and
- # perhaps define derived types.
- allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
- allow xdm_t var_lib_t:file { create write unlink };
-
- # Connect to xfs.
- ifdef(`xfs.te', `
- allow xdm_t xfs_tmp_t:dir search;
- allow xdm_t xfs_tmp_t:sock_file write;
- can_unix_connect(xdm_t, xfs_t)
- ')
-
- allow xdm_t etc_t:lnk_file read;
-
- # wdm has its own config dir /etc/X11/wdm
- # this is ugly, daemons should not create files under /etc!
- allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
- allow xdm_t xdm_rw_etc_t:file create_file_perms;
-
- # Signal any user domain.
- allow xdm_t userdomain:process signal_perms;
-
- # Search /proc for any user domain processes.
- allow xdm_t userdomain:dir r_dir_perms;
- allow xdm_t userdomain:{ file lnk_file } r_file_perms;
-
- # Allow xdm access to the user domains
- allow xdm_t home_root_t:dir search;
- allow xdm_xserver_t home_root_t:dir search;
-
- # Do not audit denied attempts to access devices.
- dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
- dontaudit xdm_t device_t:file_class_set rw_file_perms;
- dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
- dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
- dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
- dontaudit xdm_t devpts_t:dir search;
-
- # Do not audit denied probes of /proc.
- dontaudit xdm_t domain:dir r_dir_perms;
- dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
-
- # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
- allow xdm_t usr_t:{ lnk_file file } { getattr read };
-
- # Read fonts
- read_fonts(xdm_t)
-
- # Do not audit attempts to write to index files under /usr
- dontaudit xdm_t usr_t:file write;
-
- # Do not audit access to /root
- dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
-
- # Do not audit user access to the X log files due to file handle inheritance
- dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
- # Do not audit attempts to check whether user root has email
- dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
- dontaudit xdm_t mail_spool_t:file getattr;
-
- # Access sound device.
- allow xdm_t sound_device_t:chr_file { setattr getattr };
-
- # Allow setting of attributes on power management devices.
- allow xdm_t power_device_t:chr_file { getattr setattr };
-
- # Run the X server in a derived domain.
- xserver_domain(xdm)
-
- ifdef(`rhgb.te', `
- allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
- allow xdm_xserver_t ramfs_t:file create_file_perms;
- allow rhgb_t xdm_xserver_t:process signal;
- ')
-
- # Unrestricted inheritance.
- allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
-
- # Run xkbcomp.
- allow xdm_xserver_t var_lib_t:dir search;
- allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
- can_exec(xdm_xserver_t, xkb_var_lib_t)
-
- # Insert video drivers.
- allow xdm_xserver_t self:capability mknod;
- allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
- domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
- allow insmod_t xserver_log_t:file write;
- allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
-
- # Read /proc/dri/.*
- allow xdm_xserver_t proc_t:dir { search read };
-
- # Search /var/run.
- allow xdm_xserver_t var_run_t:dir search;
-
- # FIXME: After per user fonts are properly working
- # xdm_xserver_t may no longer have any reason
- # to read ROLE_home_t - examine this in more detail
- # (xauth?)
-
- # Search home directories.
- allow xdm_xserver_t user_home_type:dir search;
- allow xdm_xserver_t user_home_type:file { getattr read };
-
- if (use_nfs_home_dirs) {
- allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
- allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
- allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
- can_exec(xdm_t, nfs_t)
- }
-
- if (use_samba_home_dirs) {
- allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
- allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
- can_exec(xdm_t, cifs_t)
- }
-
- # for .dmrc
- allow xdm_t user_home_dir_type:dir { getattr search };
- allow xdm_t user_home_type:file { getattr read };
-
- ifdef(`support_polyinstatiation', `
- # xdm_t can polyinstantiate
- polyinstantiater(xdm_t)
- # xdm needs access for linking .X11-unix to poly /tmp
- allow xdm_t polymember:dir { add_name remove_name write };
- allow xdm_t polymember:lnk_file { create unlink };
- # xdm needs access for copying .Xauthority into new home
- allow xdm_t polymember:file { create getattr write };
- ')
-
- allow xdm_t mnt_t:dir { getattr read search };
- #
- # Wants to delete .xsession-errors file
- #
- allow xdm_t user_home_type:file unlink;
- #
- # Should fix exec of pam_timestamp_check is not closing xdm file descriptor
- #
- ifdef(`pam.te', `
- allow xdm_t pam_var_run_t:dir create_dir_perms;
- allow xdm_t pam_var_run_t:file create_file_perms;
- allow pam_t xdm_t:fifo_file { getattr ioctl write };
- domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
- can_exec(xdm_t, pam_exec_t)
- # For pam_console
- rw_dir_create_file(xdm_t, pam_var_console_t)
- ')
-
- # Pamconsole/alsa
- ifdef(`alsa.te', `
- domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
- ') dnl ifdef
-
- allow xdm_t var_log_t:file { getattr read };
- allow xdm_t wtmp_t:file { getattr read };
-
- domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
- #
- # Poweroff wants to create the /poweroff file when run from xdm
- #
- file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
-
- #
- # xdm tries to bind to biff_port_t
- #
- dontaudit xdm_t port_type:tcp_socket name_bind;
-
- # VNC v4 module in X server
- allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
- ifdef(`crack.te', `
- allow xdm_t crack_db_t:file r_file_perms;
- ')
- r_dir_file(xdm_t, selinux_config_t)
-
- # Run telinit->init to shutdown.
- can_exec(xdm_t, init_exec_t)
- allow xdm_t self:sem create_sem_perms;
-
- # Allow gdm to run gdm-binary
- can_exec(xdm_t, xdm_exec_t)
-
- # Supress permission check on .ICE-unix
- dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
- ') dnl end TODO
+# Do not audit access to /root
+dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# Do not audit attempts to check whether user root has email
+dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
+dontaudit xdm_t mail_spool_t:file getattr;
+
+# Access sound device.
+allow xdm_t sound_device_t:chr_file { setattr getattr };
+
+# Allow setting of attributes on power management devices.
+allow xdm_t power_device_t:chr_file { getattr setattr };
+
+# Run the X server in a derived domain.
+xserver_domain(xdm)
+
+ifdef(`rhgb.te', `
+allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow rhgb_t xdm_xserver_t:process signal;
+')
+
+# Unrestricted inheritance.
+allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
+
+# Run xkbcomp.
+allow xdm_xserver_t var_lib_t:dir search;
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
+
+# Insert video drivers.
+allow xdm_xserver_t self:capability mknod;
+allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
+domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
+allow insmod_t xserver_log_t:file write;
+allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
+
+# Read /proc/dri/.*
+allow xdm_xserver_t proc_t:dir { search read };
+
+# Search /var/run.
+allow xdm_xserver_t var_run_t:dir search;
+
+# FIXME: After per user fonts are properly working
+# xdm_xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+
+# Search home directories.
+allow xdm_xserver_t user_home_type:dir search;
+allow xdm_xserver_t user_home_type:file { getattr read };
+
+if (use_nfs_home_dirs) {
+allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
+allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
+# for .dmrc
+allow xdm_t user_home_dir_type:dir { getattr search };
+allow xdm_t user_home_type:file { getattr read };
+
+ifdef(`support_polyinstatiation', `
+# xdm_t can polyinstantiate
+polyinstantiater(xdm_t)
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
+allow xdm_t mnt_t:dir { getattr read search };
+#
+# Wants to delete .xsession-errors file
+#
+allow xdm_t user_home_type:file unlink;
+#
+# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+#
+ifdef(`pam.te', `
+allow xdm_t pam_var_run_t:dir create_dir_perms;
+allow xdm_t pam_var_run_t:file create_file_perms;
+allow pam_t xdm_t:fifo_file { getattr ioctl write };
+domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
+can_exec(xdm_t, pam_exec_t)
+# For pam_console
+rw_dir_create_file(xdm_t, pam_var_console_t)
')
+
+# Pamconsole/alsa
+ifdef(`alsa.te', `
+domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
+') dnl ifdef
+
+allow xdm_t var_log_t:file { getattr read };
+allow xdm_t wtmp_t:file { getattr read };
+
+domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
+#
+# Poweroff wants to create the /poweroff file when run from xdm
+#
+file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
+
+#
+# xdm tries to bind to biff_port_t
+#
+dontaudit xdm_t port_type:tcp_socket name_bind;
+
+# VNC v4 module in X server
+allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
+ifdef(`crack.te', `
+allow xdm_t crack_db_t:file r_file_perms;
+')
+r_dir_file(xdm_t, selinux_config_t)
+
+# Run telinit->init to shutdown.
+can_exec(xdm_t, init_exec_t)
+allow xdm_t self:sem create_sem_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+') dnl end TODO
More information about the scm-commits
mailing list