Layer: services

Module: xserver

Tunables Interfaces Templates

Description:

X Windows Server

Tunables:

selinuxuser_direct_dri_enabled

Default value

false

Description

Allow regular users direct dri device access

xdm_bind_vnc_tcp_port

Default value

false

Description

Allows xdm_t to bind on vnc_port_t(5910)

xdm_exec_bootloader

Default value

false

Description

Allow the graphical login program to execute bootloader

xdm_sysadm_login

Default value

false

Description

Allow the graphical login program to login directly as sysadm_r:sysadm_t

xdm_write_home

Default value

false

Description

Allow the graphical login program to create files in HOME dirs as xdm_home_t.

xserver_clients_write_xshm

Default value

false

Description

Allows clients to write to the X server shared memory segments.

xserver_execmem

Default value

false

Description

Allows XServer to execute writable memory

xserver_object_manager

Default value

false

Description

Support X userspace object manager

Return

Interfaces:

xserver_admin_home_dir_filetrans_xauth(
	
		domain
		
	)

Summary

Create a Xauthority file in the admin home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_append_xdm_home_files(
	
		domain
		
	)

Summary

append to .xsession-errors file

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_append_xdm_stream_socket(
	
		domain
		
	)

Summary

Allow domain to append XDM unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_append_xdm_tmp_files(
	
		domain
		
	)

Summary

Allow append the xdm tmp files.

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_create_xdm_tmp_sockets(
	
		domain
		
	)

Summary

Create a named socket in a XDM temporary directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_dbus_chat(
	
		domain
		
	)

Summary

Send and receive messages from xdm over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_dbus_chat_xdm(
	
		domain
		
	)

Summary

Send and receive messages from xdm over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_delete_log(
	
		domain
		
	)

Summary

Delete X server log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_domtrans(
	
		domain
		
	)

Summary

Execute the X server in the X server domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

xserver_domtrans_xauth(
	
		domain
		
	)

Summary

Transition to the Xauthority domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

xserver_dontaudit_append_xdm_home_files(
	
		domain
		
	)

Summary

Dontaudit append to .xsession-errors file

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_dontaudit_exec_xauth(
	
		domain
		
	)

Summary

Dontaudit exec of Xauthority program.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_getattr_xdm_tmp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of xdm temporary named sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_read_xdm_pid(
	
		domain
		
	)

Summary

Dontaudit Read XDM pid files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_read_xdm_tmp_files(
	
		domain
		
	)

Summary

Do not audit attempts to read xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_rw_stream_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read and write X server unix domain stream sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_rw_tcp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read and write to X server sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_rw_xdm_pipes(
	
		domain
		
	)

Summary

Do not audit attempts to read and write XDM unnamed pipes.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_search_log(
	
		domain
		
	)

Summary

Dontaudit search ssh home directory

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_stream_connect(
	
		domain
		
	)

Summary

Dontaudit attempts to connect to xserver over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_use_xdm_fds(
	
		domain
		
	)

Summary

Do not audit attempts to inherit XDM file descriptors.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_write_log(
	
		domain
		
	)

Summary

Do not audit attempts to write the X server log files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_xdm_rw_stream_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read and write xdm unix domain stream sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Dont audit attempts to set the attributes of XDM temporary directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_xkb_libs_access(
	
		domain
		
	)

Summary

dontaudit access checks X keyboard extension libraries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_dri_domain(
	
		domain
		
	)

Summary

Domain wants to use direct io devices

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_entry_type(
	
		domain
		
	)

Summary

Make an X executable an entrypoint for the specified domain.

Parameters

Parameter:	Description:
domain	The domain for which the shell is an entrypoint.

xserver_exec(
	
		domain
		
	)

Summary

Allow execute the X server.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

xserver_exec_pid(
	
		domain
		
	)

Summary

Execute xserver files created in /var/run

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_exec_xauth(
	
		domain
		
	)

Summary

Allow exec of Xauthority program..

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

xserver_filetrans_admin_home_content(
	
		domain
		
	)

Summary

Create xserver content in admin home directory with a named file transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_filetrans_fonts_cache_home_content(
	
		domain
		
	)

Summary

Transition to xserver .fontconfig named content

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_filetrans_home_content(
	
		domain
		
	)

Summary

Transition to xserver named content

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_getattr_log(
	
		domain
		
	)

Summary

Get the attributes of X server logs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_kill(
	
		domain
		
	)

Summary

Kill X servers

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_config(
	
		domain
		
	)

Summary

Manage xserver configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_core_devices(
	
		domain
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Gives the domain permission to read the virtual core keyboard and virtual core pointer devices.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_home_fonts(
	
		domain
		
	)

Summary

Manage user homedir fonts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_user_fonts_dir(
	
		domain
		
	)

Summary

Manage user fonts dir.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_user_xauth(
	
		domain
		
	)

Summary

Manage all users .Xauthority.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_xdm_etc_files(
	
		domain
		
	)

Summary

Manage xdm config files.

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_manage_xdm_spool_files(
	
		domain
		
	)

Summary

Create, read, write, and delete xdm_spool files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Create, read, write, and delete xdm temporary dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_xdm_tmp_files(
	
		domain
		
	)

Summary

Create, read, write, and delete xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_xkb_libs(
	
		domain
		
	)

Summary

Manage X keyboard extension libraries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_non_drawing_client(
	
		domain
		
	)

Summary

Create non-drawing client sessions on an X server.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_config(
	
		domain
		
	)

Summary

Read xserver configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_home_fonts(
	
		domain
		
	)

Summary

Read user homedir fonts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_inherited_xdm_lib_files(
	
		domain
		
	)

Summary

Read inherited XDM var lib files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_log(
	
		domain
		
	)

Summary

Allow domain to read X server logs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_pid(
	
		domain
		
	)

Summary

Read xserver files created in /var/run

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_state_xdm(
	
		domain
		
	)

Summary

Read XDM state files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_tmp_files(
	
		domain
		
	)

Summary

Read X server temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_user_iceauth(
	
		domain
		
	)

Summary

Read a user Iceauthority domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_user_xauth(
	
		domain
		
	)

Summary

Read all users .Xauthority.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_etc_files(
	
		domain
		
	)

Summary

Read xdm config files.

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_read_xdm_home_files(
	
		domain
		
	)

Summary

Read XDM files in user home directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_lib_files(
	
		domain
		
	)

Summary

Read XDM var lib files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_pid(
	
		domain
		
	)

Summary

Read XDM pid files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_rw_config(
	
		domain
		
	)

Summary

Read xdm-writable configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_state(
	
		domain
		
	)

Summary

Read xdm process state files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_tmp_files(
	
		domain
		
	)

Summary

Read xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xkb_libs(
	
		domain
		
	)

Summary

Read X keyboard extension libraries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_relabel_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Create, read, write, and delete xdm temporary dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_restricted_role(
	
		role
		
			,
		
		domain
		
	)

Summary

Rules required for using the X Windows server and environment, for restricted users.

Parameters

Parameter:	Description:
role	Role allowed access.
domain	Domain allowed access.

xserver_ro_session(
	
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Create sessions on the X server, with read-only access to the X server shared memory segments.

Parameters

Parameter:	Description:
domain	Domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

xserver_role(
	
		role
		
			,
		
		domain
		
	)

Summary

Rules required for using the X Windows server and environment.

Parameters

Parameter:	Description:
role	Role allowed access.
domain	Domain allowed access.

xserver_run(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute xsever in the xserver domain, and allow the specified role the xserver domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	The role to be allowed the xserver domain.

xserver_run_xauth(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute xsever in the xserver domain, and allow the specified role the xserver domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	The role to be allowed the xserver domain.

xserver_rw_console(
	
		domain
		
	)

Summary

Read and write the X windows console named pipe.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_inherited_user_fonts(
	
		domain
		
	)

Summary

Read/write inherited user homedir fonts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_session(
	
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Create sessions on the X server, with read and write access to the X server shared memory segments.

Parameters

Parameter:	Description:
domain	Domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

xserver_rw_shm(
	
		domain
		
	)

Summary

Read and write X server Sys V Shared memory segments.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xdm_keys(
	
		domain
		
	)

Summary

Manage keys for xdm.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xdm_pipes(
	
		domain
		
	)

Summary

Read and write XDM unnamed pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xdm_tmp_files(
	
		domain
		
	)

Summary

Read write xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_search_xdm_lib(
	
		domain
		
	)

Summary

Search XDM var lib dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_search_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Search XDM temporary directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_setattr_console_pipes(
	
		domain
		
	)

Summary

Set the attributes of the X windows console named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_setattr_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Set the attributes of XDM temporary directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_signal(
	
		domain
		
	)

Summary

Signal X servers

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_stream_connect(
	
		domain
		
	)

Summary

Connect to the X server over a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_stream_connect_xdm(
	
		domain
		
	)

Summary

Connect to XDM over a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_unconfined(
	
		domain
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Gives the domain complete control over the display.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_use_all_users_fonts(
	
		domain
		
	)

Summary

Read all users fonts, user font configurations, and manage all users font caches.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_use_user_fonts(
	
		domain
		
	)

Summary

Read user fonts, user font configuration, and manage the user font cache.

Description

Read user fonts, user font configuration, and manage the user font cache.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_use_xdm_fds(
	
		domain
		
	)

Summary

Use file descriptors for xdm.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_user_client(
	
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Create full client sessions on a user X server.

Parameters

Parameter:	Description:
domain	Domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

xserver_user_home_dir_filetrans_user_xauth(
	
		domain
		
	)

Summary

Create a Xauthority file in the user home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_write_pid(
	
		domain
		
	)

Summary

Write xserver files created in /var/run

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_xdm_append_log(
	
		domain
		
	)

Summary

Allow append the xdm log files.

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_xdm_ioctl_log(
	
		domain
		
	)

Summary

Allow ioctl the xdm log files.

Parameters

Parameter:	Description:
domain	Domain to not audit

xserver_xdm_manage_spool(
	
		domain
		
	)

Summary

Manage the xdm_spool files

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_xdm_read_spool(
	
		domain
		
	)

Summary

Allow read the xdm_spool files

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_xdm_search_spool(
	
		domain
		
	)

Summary

Allow search the xdm_spool files

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_xdm_tmp_filetrans(
	
		domain
		
			,
		
		private_type
		
			,
		
		object_class
		
			,
		
		name
		
	)

Summary

Create objects in a xdm temporary directory with an automatic type transition to a specified private type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
private_type	The type of the object to create.
object_class	The class of the object to be created.
name	The name of the object being created.

xserver_xsession_entry_type(
	
		domain
		
	)

Summary

Make an X session script an entrypoint for the specified domain.

Parameters

Parameter:	Description:
domain	The domain for which the shell is an entrypoint.

xserver_xsession_spec_domtrans(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute an X session in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

Description

Execute an Xsession in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the shell process.

Return

Templates:

xserver_common_x_domain_template(
	
		prefix
		
			,
		
		domain
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic X client application.

Parameters

Parameter:	Description:
prefix	The prefix of the X client domain (e.g., user is the prefix for user_t).
domain	Client domain allowed access.

xserver_object_types_template(
	
		prefix
		
	)

Summary

Template for creating the set of types used in an X windows domain.

Parameters

Parameter:	Description:
prefix	The prefix of the X client domain (e.g., user is the prefix for user_t).

xserver_user_x_domain_template(
	
		prefix
		
			,
		
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic X client application.

Parameters

Parameter:	Description:
prefix	The prefix of the X client domain (e.g., user is the prefix for user_t).
domain	Client domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

Return