← Back to branch summary

~ubuntu-branches/ubuntu/natty/refpolicy-ubuntu/natty

« back to all changes in this revision

Viewing changes to policy/modules/apps/wm.if

  • Committer: Bazaar Package Importer
  • Author(s): Caleb Case
  • Date: 2009-10-19 01:48:39 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20091019014839-0rpi67ygkrjya30k
Tags: 0.2.20090730-0ubuntu1
https://launchpad.net/bugs/434084
* Updated to upstream release 2.20090730
* Handle Upstart direct execution of daemons.
* Pre-depend on selinux to ensure that the trigger is handled (LP: #434084).

Show diffs side-by-side

added added

removed removed

Lines of Context:
policy/modules/apps/wm.if
 
1
## <summary>X Window Managers</summary>
 
2
 
 
3
#######################################
 
4
## <summary>
 
5
##      The role template for the wm module.
 
6
## </summary>
 
7
## <desc>
 
8
##      <p>
 
9
##      This template creates a derived domains which are used
 
10
##      for window manager applications.
 
11
##      </p>
 
12
## </desc>
 
13
## <param name="role_prefix">
 
14
##      <summary>
 
15
##      The prefix of the user domain (e.g., user
 
16
##      is the prefix for user_t).
 
17
##      </summary>
 
18
## </param>
 
19
## <param name="user_role">
 
20
##      <summary>
 
21
##      The role associated with the user domain.
 
22
##      </summary>
 
23
## </param>
 
24
## <param name="user_domain">
 
25
##      <summary>
 
26
##      The type of the user domain.
 
27
##      </summary>
 
28
## </param>
 
29
#
 
30
template(`wm_role_template',`
 
31
        gen_require(`
 
32
                type wm_exec_t;
 
33
        ')
 
34
 
 
35
        type $1_wm_t;
 
36
        domain_type($1_wm_t)
 
37
        domain_entry_file($1_wm_t, wm_exec_t)
 
38
        role $2 types $1_wm_t;
 
39
 
 
40
        allow $1_wm_t self:fifo_file rw_fifo_file_perms;
 
41
        allow $1_wm_t self:process getsched;
 
42
        allow $1_wm_t self:shm create_shm_perms;
 
43
 
 
44
        allow $1_wm_t $3:unix_stream_socket connectto;
 
45
 
 
46
        domtrans_pattern($3, wm_exec_t, $1_wm_t)
 
47
 
 
48
        kernel_read_system_state($1_wm_t)
 
49
 
 
50
        corecmd_bin_domtrans($1_wm_t, $3)
 
51
        corecmd_shell_domtrans($1_wm_t, $3)
 
52
 
 
53
        dev_read_urand($1_wm_t)
 
54
 
 
55
        files_read_etc_files($1_wm_t)
 
56
        files_read_usr_files($1_wm_t)
 
57
 
 
58
        mls_file_read_all_levels($1_wm_t)
 
59
        mls_file_write_all_levels($1_wm_t)
 
60
        mls_xwin_read_all_levels($1_wm_t)
 
61
        mls_xwin_write_all_levels($1_wm_t)
 
62
        mls_fd_use_all_levels($1_wm_t)
 
63
 
 
64
        auth_use_nsswitch($1_wm_t)
 
65
 
 
66
        miscfiles_read_fonts($1_wm_t)
 
67
        miscfiles_read_localization($1_wm_t)
 
68
 
 
69
        userdom_manage_home_role($2, $1_wm_t)
 
70
        userdom_manage_tmpfs_role($2, $1_wm_t)
 
71
        userdom_manage_tmp_role($2, $1_wm_t)
 
72
 
 
73
        optional_policy(`
 
74
                dbus_system_bus_client($1_wm_t)
 
75
        ')
 
76
 
 
77
        optional_policy(`
 
78
                xserver_role($2, $1_wm_t)
 
79
        ')
 
80
')
 
81
 
 
82
########################################
 
83
## <summary>
 
84
##      Execute the wm program in the wm domain.
 
85
## </summary>
 
86
## <param name="domain">
 
87
##      <summary>
 
88
##      Domain allowed access.
 
89
##      </summary>
 
90
## </param>
 
91
#
 
92
interface(`wm_exec',`
 
93
        gen_require(`
 
94
                type wm_exec_t;
 
95
        ')
 
96
 
 
97
        can_exec($1, wm_exec_t)
 
98
')