2
# Macros for xauth domains.
6
# Author: Russell Coker <russell@coker.com.au>
10
# xauth_domain(domain_prefix)
12
# Define a derived domain for the xauth program when executed
15
# The type declaration for the executable type for this program is
16
# provided separately in domains/program/xauth.te.
18
undefine(`xauth_domain')
20
define(`xauth_domain',`
21
ifdef(`single_userdomain', `
22
typealias $1_home_t alias $1_home_xauth_t;
23
typealias $1_t alias $1_xauth_t;
25
# Derived domain based on the calling user domain and the program.
26
type $1_xauth_t, domain;
27
type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
30
allow $1_locate_t $1_home_xauth_t:file { getattr read };
33
allow $1_xauth_t self:process signal;
35
allow $1_t $1_home_xauth_t:file { relabelfrom relabelto create_file_perms };
37
# Transition from the user domain to this domain.
38
domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
40
domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
41
allow $1_xauth_t sshd_t:fifo_file { getattr read };
42
dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
43
allow $1_xauth_t sshd_t:process sigchld;
46
# The user role is authorized for this domain.
47
role $1_r types $1_xauth_t;
49
# Inherit and use descriptors from gnome-pty-helper.
50
ifdef(`gnome-pty-helper.te', `
51
allow $1_xauth_t $1_gph_t:fd use;
54
allow $1_xauth_t privfd:fd use;
56
# allow ps to show xauth
57
allow $1_t $1_xauth_t:dir { search getattr read };
58
allow $1_t $1_xauth_t:{ file lnk_file } { read getattr };
59
allow $1_t $1_xauth_t:process signal;
61
uses_shlib($1_xauth_t)
63
# allow DNS lookups...
64
can_network($1_xauth_t)
65
can_ypbind($1_xauth_t)
67
can_udp_send($1_xauth_t, named_t)
68
can_udp_send(named_t, $1_xauth_t)
71
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
72
allow $1_xauth_t etc_t:file { getattr read };
73
allow $1_xauth_t fs_t:filesystem getattr;
75
# Write to the user domain tty.
76
allow $1_xauth_t $1_tty_device_t:chr_file rw_file_perms;
77
allow $1_xauth_t $1_devpts_t:chr_file rw_file_perms;
80
allow $1_xauth_t var_t:dir search;
81
allow $1_xauth_t var_run_t:dir search;
83
# this is what we are here for
84
allow $1_xauth_t home_root_t:dir search;
85
file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file)
89
allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
90
allow $1_xauth_t tmp_t:dir { search };
92
ifdef(`nfs_home_dirs', `
93
ifdef(`automount.te', `
94
allow $1_xauth_t autofs_t:dir { search getattr };
96
rw_dir_create_file($1_xauth_t, nfs_t)
97
')dnl end nfs_home_dirs
98
')dnl end ifdef single_userdomain
99
')dnl end xauth_domain macro
103
define(`xauth_domain',`')
105
')dnl end if xauth.te