Navigation

← Previous Changeset
Next Changeset →

Changeset 2706

Timestamp:

05/30/08 10:05:17 (6 months ago)

Author:

pebenito

Message:

rbacsep: first steps in collapsing xserver.

Files:

branches/rbacsep/policy/modules/services/xserver.te (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/services/xserver.te

r2675	r2706
54	54	type focus_xevent_t, xevent_type;
55	55
	56	type iceauth_t;
56	57	type iceauth_exec_t;
57		application_executable_file(iceauth_exec_t)
	58	application_domain(iceauth_t, iceauth_exec_t)
	59
	60	type iceauth_home_t;
	61	files_poly_member(iceauth_home_t)
	62	userdom_user_home_content($1,iceauth_home_t)
58	63
59	64	type info_xproperty_t, xproperty_type;
…	…
69	74	type video_xext_t, xextension_type;
70	75	type unknown_xevent_t, xevent_type;
	76
	77	type user_fonts_t;
	78	userdom_user_home_content($1,user_fonts_t)
	79
	80	type user_fonts_cache_t, fonts_cache_type;
	81	userdom_user_home_content($1,user_fonts_cache_t)
	82
	83	type user_fonts_config_t, fonts_config_type;
	84	userdom_user_home_content($1,user_fonts_cache_t)
	85
71	86	type xevent_t alias default_xevent_t, xevent_type;
72	87	type xext_t alias unknown_xext_t, xextension_type;
…	…
74	89	type xselection_t alias default_xselection_t, xselection_type;
75	90
	91	type xauth_t;
76	92	type xauth_exec_t;
77		application_executable_file(xauth_exec_t)
	93	application_domain(xauth_t, xauth_exec_t)
	94
	95	type xauth_home_t;
	96	files_poly_member(xauth_home_t)
	97	userdom_user_home_content($1,xauth_home_t)
	98
	99	type xauth_tmp_t;
	100	files_tmp_file(xauth_tmp_t)
78	101
79	102	# this is not actually a device, its a pipe
…	…
113	136
114	137	# Type for the executable used to start the X server, e.g. Xwrapper.
	138	type xserver_t, x_server_domain;
115	139	type xserver_exec_t;
116		corecmd_executable_file(xserver_exec_t)
	140	domain_type(xserver_t)
	141	domain_entry_file(xserver_t, xserver_exec_t)
	142
	143	type xserver_tmp_t;
	144	files_tmp_file(xserver_tmp_t)
	145
	146	type xserver_tmpfs_t;
	147	files_tmpfs_file(xserver_tmpfs_t)
117	148
118	149	type xsession_exec_t;
…	…
134	165	optional_policy(`
135	166	prelink_object_file(xkb_var_lib_t)
	167	')
	168
	169	########################################
	170	#
	171	# Iceauth local policy
	172	#
	173
	174	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
	175
	176	allow iceauth_t iceauth_home_t:file manage_file_perms;
	177	userdom_user_home_dir_filetrans($1,iceauth_t,iceauth_home_t,file)
	178
	179	# allow ps to show iceauth
	180	ps_process_pattern($2, iceauth_t)
	181
	182	allow $2 iceauth_home_t:file manage_file_perms;
	183	allow $2 iceauth_home_t:file { relabelfrom relabelto };
	184
	185	allow xdm_t iceauth_home_t:file read_file_perms;
	186
	187	fs_search_auto_mountpoints(iceauth_t)
	188
	189	libs_use_ld_so(iceauth_t)
	190	libs_use_shared_libs(iceauth_t)
	191
	192	userdom_use_user_terminals($1, iceauth_t)
	193
	194	tunable_policy(`use_nfs_home_dirs',`
	195	fs_manage_nfs_files(iceauth_t)
	196	')
	197
	198	tunable_policy(`use_samba_home_dirs',`
	199	fs_manage_cifs_files(iceauth_t)
	200	')
	201
	202	########################################
	203	#
	204	# Xauth local policy
	205	#
	206
	207	allow xauth_t self:process signal;
	208	allow xauth_t self:unix_stream_socket create_stream_socket_perms;
	209
	210	allow xauth_t xauth_home_t:file manage_file_perms;
	211	userdom_user_home_dir_filetrans($1,xauth_t,xauth_home_t,file)
	212
	213	manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
	214	manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
	215	files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
	216
	217	domtrans_pattern($2, xauth_exec_t, xauth_t)
	218
	219	allow $2 xauth_t:process signal;
	220
	221	# allow ps to show xauth
	222	ps_process_pattern($2,xauth_t)
	223
	224	allow $2 xauth_home_t:file manage_file_perms;
	225	allow $2 xauth_home_t:file { relabelfrom relabelto };
	226
	227	allow xdm_t xauth_home_t:file manage_file_perms;
	228	userdom_user_home_dir_filetrans($1,xdm_t,xauth_home_t,file)
	229
	230	domain_use_interactive_fds(xauth_t)
	231
	232	files_read_etc_files(xauth_t)
	233	files_search_pids(xauth_t)
	234
	235	fs_getattr_xattr_fs(xauth_t)
	236	fs_search_auto_mountpoints(xauth_t)
	237
	238	# cjp: why?
	239	term_use_ptmx(xauth_t)
	240
	241	auth_use_nsswitch(xauth_t)
	242
	243	libs_use_ld_so(xauth_t)
	244	libs_use_shared_libs(xauth_t)
	245
	246	userdom_use_user_terminals($1,xauth_t)
	247	userdom_read_user_tmp_files($1,xauth_t)
	248
	249	xserver_rw_xdm_tmp_files(xauth_t)
	250
	251	tunable_policy(`use_nfs_home_dirs',`
	252	fs_manage_nfs_files(xauth_t)
	253	')
	254
	255	tunable_policy(`use_samba_home_dirs',`
	256	fs_manage_cifs_files(xauth_t)
	257	')
	258
	259	optional_policy(`
	260	ssh_sigchld(xauth_t)
	261	ssh_read_pipes(xauth_t)
	262	ssh_dontaudit_rw_tcp_sockets(xauth_t)
136	263	')
137	264
…	…
489	616	')
490	617
	618	attribute $1_x_domain;
	619	attribute $1_input_xevent_type;
	620
	621	type $1_rootwindow_t, rootwindow_type;
	622
	623	########################################
	624	#
	625	# X server local policy
	626	#
	627
	628	# setuid/setgid for the wrapper program to change UID
	629	# sys_rawio is for iopl access - should not be needed for frame-buffer
	630	# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
	631	# admin of APM bios?
	632	# sys_nice is so that the X server can set a negative nice value
	633	# execheap needed until the X module loader is fixed.
	634	# NVIDIA Needs execstack
	635
	636	allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
	637	dontaudit xserver_t self:capability chown;
	638	allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	639	allow xserver_t self:memprotect mmap_zero;
	640	allow xserver_t self:fd use;
	641	allow xserver_t self:fifo_file rw_fifo_file_perms;
	642	allow xserver_t self:sock_file read_sock_file_perms;
	643	allow xserver_t self:shm create_shm_perms;
	644	allow xserver_t self:sem create_sem_perms;
	645	allow xserver_t self:msgq create_msgq_perms;
	646	allow xserver_t self:msg { send receive };
	647	allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
	648	allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
	649	allow xserver_t self:tcp_socket create_stream_socket_perms;
	650	allow xserver_t self:udp_socket create_socket_perms;
	651
	652	manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
	653	manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
	654	manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
	655	files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
	656
	657	filetrans_pattern(xserver_t, xdm_xserver_tmp_t, xserver_tmp_t,sock_file)
	658
	659	manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
	660	manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
	661	manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
	662	manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
	663	manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
	664	fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	665
	666	manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
	667	manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
	668	files_search_var_lib(xserver_t)
	669
	670	# Create files in /var/log with the xserver_log_t type.
	671	manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
	672	logging_log_filetrans(xserver_t, xserver_log_t,file)
	673
	674	# Labeling rules for default windows and colormaps
	675	type_transition xserver_t xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
	676
	677	kernel_read_system_state(xserver_t)
	678	kernel_read_device_sysctls(xserver_t)
	679	kernel_read_modprobe_sysctls(xserver_t)
	680	# Xorg wants to check if kernel is tainted
	681	kernel_read_kernel_sysctls(xserver_t)
	682	kernel_write_proc_files(xserver_t)
	683
	684	# Run helper programs in xserver_t.
	685	corecmd_exec_bin(xserver_t)
	686	corecmd_exec_shell(xserver_t)
	687
	688	corenet_all_recvfrom_unlabeled(xserver_t)
	689	corenet_all_recvfrom_netlabel(xserver_t)
	690	corenet_tcp_sendrecv_generic_if(xserver_t)
	691	corenet_udp_sendrecv_generic_if(xserver_t)
	692	corenet_tcp_sendrecv_all_nodes(xserver_t)
	693	corenet_udp_sendrecv_all_nodes(xserver_t)
	694	corenet_tcp_sendrecv_all_ports(xserver_t)
	695	corenet_udp_sendrecv_all_ports(xserver_t)
	696	corenet_tcp_bind_all_nodes(xserver_t)
	697	corenet_tcp_bind_xserver_port(xserver_t)
	698	corenet_tcp_connect_all_ports(xserver_t)
	699	corenet_sendrecv_xserver_server_packets(xserver_t)
	700	corenet_sendrecv_all_client_packets(xserver_t)
	701
	702	dev_rw_sysfs(xserver_t)
	703	dev_rw_mouse(xserver_t)
	704	dev_rw_mtrr(xserver_t)
	705	dev_rw_apm_bios(xserver_t)
	706	dev_rw_agp(xserver_t)
	707	dev_rw_framebuffer(xserver_t)
	708	dev_manage_dri_dev(xserver_t)
	709	dev_create_generic_dirs(xserver_t)
	710	dev_setattr_generic_dirs(xserver_t)
	711	# raw memory access is needed if not using the frame buffer
	712	dev_read_raw_memory(xserver_t)
	713	dev_wx_raw_memory(xserver_t)
	714	# for other device nodes such as the NVidia binary-only driver
	715	dev_rw_xserver_misc(xserver_t)
	716	# read events - the synaptics touchpad driver reads raw events
	717	dev_rw_input_dev(xserver_t)
	718	dev_rwx_zero(xserver_t)
	719
	720	domain_mmap_low(xserver_t)
	721
	722	files_read_etc_files(xserver_t)
	723	files_read_etc_runtime_files(xserver_t)
	724	files_read_usr_files(xserver_t)
	725
	726	# brought on by rhgb
	727	files_search_mnt(xserver_t)
	728	# for nscd
	729	files_dontaudit_search_pids(xserver_t)
	730
	731	fs_getattr_xattr_fs(xserver_t)
	732	fs_search_nfs(xserver_t)
	733	fs_search_auto_mountpoints(xserver_t)
	734	fs_search_ramfs(xserver_t)
	735
	736	mls_xwin_read_to_clearance(xserver_t)
	737
	738	selinux_validate_context(xserver_t)
	739	selinux_compute_access_vector(xserver_t)
	740	selinux_compute_create_context(xserver_t)
	741
	742	auth_use_nsswitch(xserver_t)
	743
	744	init_getpgid(xserver_t)
	745
	746	term_setattr_unallocated_ttys(xserver_t)
	747	term_use_unallocated_ttys(xserver_t)
	748
	749	getty_use_fds(xserver_t)
	750
	751	libs_use_ld_so(xserver_t)
	752	libs_use_shared_libs(xserver_t)
	753
	754	locallogin_use_fds(xserver_t)
	755
	756	logging_send_syslog_msg(xserver_t)
	757	logging_send_audit_msgs(xserver_t)
	758
	759	miscfiles_read_localization(xserver_t)
	760	miscfiles_read_fonts(xserver_t)
	761
	762	modutils_domtrans_insmod(xserver_t)
	763
	764	# read x_contexts
	765	seutil_read_default_contexts(xserver_t)
	766
	767	ifndef(`distro_redhat',`
	768	allow xserver_t self:process { execmem execheap execstack };
	769	')
	770
	771	ifdef(`distro_rhel4',`
	772	allow xserver_t self:process { execmem execheap execstack };
	773	')
	774
	775	tunable_policy(`!xserver_object_manager',`
	776	# should be xserver_unconfined(xserver_t),
	777	# but typeattribute doesnt work in conditionals
	778	gen_require(`
	779	attribute x_server_domain, x_domain;
	780	attribute xproperty_type, xselection_type;
	781	attribute xextension_type, xevent_type;
	782	attribute rootwindow_type;
	783
	784	type remote_xclient_t;
	785	')
	786	allow xserver_t x_server_domain:x_server *;
	787	allow xserver_t { x_domain rootwindow_type }:x_drawable *;
	788	allow xserver_t x_server_domain:x_screen *;
	789	allow xserver_t x_domain:x_gc *;
	790	allow xserver_t { x_domain rootwindow_type }:x_colormap *;
	791	allow xserver_t xproperty_type:x_property *;
	792	allow xserver_t xselection_type:x_selection *;
	793	allow xserver_t x_domain:x_cursor *;
	794	allow xserver_t { x_domain remote_xclient_t }:x_client *;
	795	allow xserver_t { x_domain x_server_domain }:x_device *;
	796	allow xserver_t xextension_type:x_extension *;
	797	allow xserver_t { x_domain x_server_domain }:x_resource *;
	798	allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
	799	')
	800
	801	optional_policy(`
	802	apm_stream_connect(xserver_t)
	803	')
	804
	805	optional_policy(`
	806	auth_search_pam_console_data(xserver_t)
	807	')
	808
	809	optional_policy(`
	810	rhgb_getpgid(xserver_t)
	811	rhgb_signal(xserver_t)
	812	')
	813
	814	optional_policy(`
	815	xfs_stream_connect(xserver_t)
	816	')
	817
	818	##############################
	819	#
	820	# $1_xserver_t Local policy
	821	#
	822
	823	domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
	824
	825	allow xserver_t xauth_home_t:file { getattr read };
	826
	827	domtrans_pattern($2, xserver_exec_t, xserver_t)
	828	allow xserver_t $2:process signal;
	829
	830	allow xserver_t $2:shm rw_shm_perms;
	831
	832	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
	833	manage_files_pattern($2, user_fonts_t, user_fonts_t)
	834	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
	835	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
	836
	837	manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
	838	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
	839	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
	840
	841	# For startup relabel
	842	allow $2 user_fonts_cache_t:{ dir file } { relabelto relabelfrom };
	843
	844	stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t)
	845
	846	allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
	847
	848	# Communicate via System V shared memory.
	849	allow $1_xserver_t $2:shm rw_shm_perms;
	850	allow $2 $1_xserver_t:shm rw_shm_perms;
	851
	852	userdom_search_user_home_dirs($1,$1_xserver_t)
	853	userdom_use_user_ttys($1,$1_xserver_t)
	854	userdom_setattr_user_ttys($1,$1_xserver_t)
	855	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
	856
	857	xserver_use_user_fonts($1,$1_xserver_t)
	858
	859	optional_policy(`
	860	userhelper_search_config($1_xserver_t)
	861	')
	862
	863	##############################
	864	#
	865	# User X object manager local policy
	866	#
	867
	868	# Device rules
	869	allow $1_x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
	870
	871	allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
	872	allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send;
	873
	874	# manage: xhost X11:ChangeHosts
	875	# freeze: metacity X11:GrabKey
	876	# force_cursor: metacity X11:GrabPointer
	877	allow $2 xserver_t:x_device { manage freeze force_cursor };
	878
	879	# gnome-settings-daemon XKEYBOARD:SetControls
	880	allow $2 xserver_t:x_server manage;
	881
	882	# gnome-settings-daemon RANDR:SelectInput
	883	allow $2 xserver_t:x_resource write;
	884
	885	# metacity X11:InstallColormap X11:UninstallColormap
	886	allow $2 $1_rootwindow_t:x_colormap { install uninstall };
	887
	888	# read: gnome-settings-daemon RANDR:GetScreenSizeRange
	889	# write: gnome-settings-daemon RANDR:SelectInput
	890	# setattr: gnome-settings-daemon X11:GrabKey
	891	# manage: metacity X11:ChangeWindowAttributes
	892	allow $2 $1_rootwindow_t:x_drawable { read write manage setattr };
	893
	894	# setattr: metacity X11:InstallColormap
	895	allow $2 xserver_t:x_screen { saver_setattr saver_getattr setattr };
	896
	897	# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
	898	allow $2 info_xproperty_t:x_property { create write append };
	899
	900	xserver_common_x_domain_template($1,$1,$2)
	901	')
	902
491	903	########################################
492	904	#

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.