diff options
author | 2017-08-13 16:21:44 -0400 | |
---|---|---|
committer | 2017-09-09 00:31:19 +0200 | |
commit | 55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30 (patch) | |
tree | f1b83848b1b9a1e7c068766166c2a8bd81e24756 /policy/modules/services | |
parent | kernel: Module version bump for patch from Nicolas Iooss. (diff) | |
download | hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.gz hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.bz2 hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.zip |
Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
Diffstat (limited to 'policy/modules/services')
-rw-r--r-- | policy/modules/services/postgresql.te | 76 | ||||
-rw-r--r-- | policy/modules/services/ssh.if | 2 | ||||
-rw-r--r-- | policy/modules/services/ssh.te | 2 | ||||
-rw-r--r-- | policy/modules/services/xserver.if | 2 | ||||
-rw-r--r-- | policy/modules/services/xserver.te | 100 |
5 files changed, 100 insertions, 82 deletions
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index e21ce738..f118d9d0 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -243,29 +243,31 @@ tunable_policy(`sepgsql_transmit_client_label',` allow postgresql_t self:process { setsockcreate }; ') -allow postgresql_t sepgsql_database_type:db_database *; +allow postgresql_t sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }; allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module allow sepgsql_database_type sepgsql_module_type:db_database load_module; -allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *; +allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; +allow postgresql_t sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock }; +allow postgresql_t sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert }; +allow postgresql_t sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; -allow postgresql_t sepgsql_sequence_type:db_sequence *; +allow postgresql_t sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; type_transition postgresql_t sepgsql_schema_type:db_sequence sepgsql_seq_t; -allow postgresql_t sepgsql_view_type:db_view *; +allow postgresql_t sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; -allow postgresql_t sepgsql_procedure_type:db_procedure *; +allow postgresql_t sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install }; type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -allow postgresql_t sepgsql_blob_type:db_blob *; +allow postgresql_t sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export }; type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t; manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) @@ -486,7 +488,13 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; # It is always allowed to operate temporary objects for any database client. -allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; +allow sepgsql_client_type sepgsql_temp_object_t:db_schema { create drop getattr setattr search add_name remove_name }; +allow sepgsql_client_type sepgsql_temp_object_t:db_table { create drop getattr setattr select update insert delete lock }; +allow sepgsql_client_type sepgsql_temp_object_t:db_column { create drop getattr setattr select update insert }; +allow sepgsql_client_type sepgsql_temp_object_t:db_tuple { use select update insert delete }; +allow sepgsql_client_type sepgsql_temp_object_t:db_sequence { create drop getattr setattr get_value next_value set_value }; +allow sepgsql_client_type sepgsql_temp_object_t:db_view { create drop getattr setattr expand }; +allow sepgsql_client_type sepgsql_temp_object_t:db_procedure { create drop getattr setattr execute entrypoint install }; # Note that permission of creation/deletion are eventually controlled by # create or drop permission of individual objects within shared schemas. @@ -525,7 +533,13 @@ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -allow sepgsql_admin_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_schema { create drop getattr setattr search add_name remove_name }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_table { create drop getattr setattr select update insert delete lock }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_column { create drop getattr setattr select update insert }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_tuple { use select update insert delete }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_sequence { create drop getattr setattr get_value next_value set_value }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_view { create drop getattr setattr expand }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_procedure { create drop getattr setattr execute entrypoint install }; allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; @@ -540,21 +554,23 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) tunable_policy(`sepgsql_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database *; + allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }; - allow sepgsql_admin_type sepgsql_schema_type:db_schema *; + allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; - allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *; - allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *; - allow sepgsql_admin_type sepgsql_view_type:db_view *; + allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock }; + allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert }; + allow sepgsql_admin_type sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; + allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; + allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; - allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~install; - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; + allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install }; + allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint }; + allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto entrypoint }; - allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; + allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; - allow sepgsql_admin_type sepgsql_blob_type:db_blob *; + allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export }; ') ######################################## @@ -562,9 +578,9 @@ tunable_policy(`sepgsql_unconfined_dbadm',` # Unconfined access to this module # -allow sepgsql_unconfined_type sepgsql_database_type:db_database *; +allow sepgsql_unconfined_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }; -allow sepgsql_unconfined_type {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *; +allow sepgsql_unconfined_type { sepgsql_schema_type sepgsql_temp_object_t }:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; @@ -575,19 +591,21 @@ type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; -allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; -allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *; -allow sepgsql_unconfined_type sepgsql_view_type:db_view *; +allow sepgsql_unconfined_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock }; +allow sepgsql_unconfined_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert }; +allow sepgsql_unconfined_type sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; +allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; +allow sepgsql_unconfined_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; # unconfined domain is not allowed to invoke user defined procedure directly. # They have to confirm and relabel it at first. -allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *; -allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure ~install; -allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; +allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install }; +allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint }; +allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto entrypoint }; -allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement; +allow sepgsql_unconfined_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; -allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +allow sepgsql_unconfined_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export }; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 1a428c39..aa906680 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -57,7 +57,7 @@ template(`ssh_basic_client_template',` # allow $1_ssh_t self:capability { dac_override dac_read_search setgid setuid }; - allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow $1_ssh_t self:fd use; allow $1_ssh_t self:fifo_file rw_fifo_file_perms; allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto }; diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 153376ec..32f09f80 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -100,7 +100,7 @@ ifdef(`distro_debian',` # allow ssh_t self:capability { dac_override dac_read_search setgid setuid }; -allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c0373a44..d14bf3c0 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1511,7 +1511,7 @@ interface(`xserver_manage_core_devices',` class x_keyboard all_x_keyboard_perms; ') - allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + allow $1 xserver_t:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 380167a7..a88e4af5 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -646,7 +646,7 @@ allow xserver_t input_xevent_t:x_event send; allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; dontaudit xserver_t self:capability chown; allow xserver_t self:capability2 wake_alarm; -allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow xserver_t self:process { fork transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; @@ -791,21 +791,21 @@ tunable_policy(`!xserver_object_manager',` # should be xserver_unconfined(xserver_t), # but typeattribute doesnt work in conditionals - allow xserver_t xserver_t:x_server *; - allow xserver_t { x_domain root_xdrawable_t }:x_drawable *; - allow xserver_t xserver_t:x_screen *; - allow xserver_t x_domain:x_gc *; - allow xserver_t { x_domain root_xcolormap_t }:x_colormap *; - allow xserver_t xproperty_type:x_property *; - allow xserver_t xselection_type:x_selection *; - allow xserver_t x_domain:x_cursor *; - allow xserver_t x_domain:x_client *; - allow xserver_t { x_domain xserver_t }:x_device *; - allow xserver_t { x_domain xserver_t }:x_pointer *; - allow xserver_t { x_domain xserver_t }:x_keyboard *; - allow xserver_t xextension_type:x_extension *; - allow xserver_t { x_domain xserver_t }:x_resource *; - allow xserver_t xevent_type:{ x_event x_synthetic_event } *; + allow xserver_t xserver_t:x_server { getattr setattr record debug grab manage }; + allow xserver_t { x_domain root_xdrawable_t }:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive }; + allow xserver_t xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show }; + allow xserver_t x_domain:x_gc { create destroy getattr setattr use }; + allow xserver_t { x_domain root_xcolormap_t }:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; + allow xserver_t xproperty_type:x_property { create destroy read write append getattr setattr }; + allow xserver_t xselection_type:x_selection { read write getattr setattr }; + allow xserver_t x_domain:x_cursor { create destroy read write getattr setattr use }; + allow xserver_t x_domain:x_client { destroy getattr setattr manage }; + allow xserver_t { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow xserver_t { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow xserver_t { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow xserver_t xextension_type:x_extension { query use }; + allow xserver_t { x_domain xserver_t }:x_resource { read write }; + allow xserver_t xevent_type:{ x_event x_synthetic_event } { send receive }; ') optional_policy(` @@ -946,11 +946,11 @@ allow x_domain x_domain:x_drawable { getattr get_property set_property remove_ch # can use the default colormap allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall }; # can create and use colormaps -allow x_domain self:x_colormap *; +allow x_domain self:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; # X Devices # operations allowed on my own devices -allow x_domain self:{ x_device x_pointer x_keyboard } *; +allow x_domain self:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; # operations allowed on generic devices allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; # operations allowed on core keyboard @@ -984,9 +984,9 @@ allow x_domain xselection_t:x_selection { getattr setattr read }; # Other X Objects # can create and use cursors -allow x_domain self:x_cursor *; +allow x_domain self:x_cursor { create destroy read write getattr setattr use }; # can create and use graphics contexts -allow x_domain self:x_gc *; +allow x_domain self:x_gc { create destroy getattr setattr use }; # can read and write own objects allow x_domain self:x_resource { read write }; # can mess with the screensaver @@ -1001,38 +1001,38 @@ tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals - allow x_domain xserver_t:x_server *; - allow x_domain xdrawable_type:x_drawable *; - allow x_domain xserver_t:x_screen *; - allow x_domain x_domain:x_gc *; - allow x_domain xcolormap_type:x_colormap *; - allow x_domain xproperty_type:x_property *; - allow x_domain xselection_type:x_selection *; - allow x_domain x_domain:x_cursor *; - allow x_domain x_domain:x_client *; - allow x_domain { x_domain xserver_t }:x_device *; - allow x_domain { x_domain xserver_t }:x_pointer *; - allow x_domain { x_domain xserver_t }:x_keyboard *; - allow x_domain xextension_type:x_extension *; - allow x_domain { x_domain xserver_t }:x_resource *; - allow x_domain xevent_type:{ x_event x_synthetic_event } *; + allow x_domain xserver_t:x_server { getattr setattr record debug grab manage }; + allow x_domain xdrawable_type:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive }; + allow x_domain xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show }; + allow x_domain x_domain:x_gc { create destroy getattr setattr use }; + allow x_domain xcolormap_type:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; + allow x_domain xproperty_type:x_property { create destroy read write append getattr setattr }; + allow x_domain xselection_type:x_selection { read write getattr setattr }; + allow x_domain x_domain:x_cursor { create destroy read write getattr setattr use }; + allow x_domain x_domain:x_client { destroy getattr setattr manage }; + allow x_domain { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow x_domain { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow x_domain { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow x_domain xextension_type:x_extension { query use }; + allow x_domain { x_domain xserver_t }:x_resource { read write }; + allow x_domain xevent_type:{ x_event x_synthetic_event } { send receive }; ') -allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type xdrawable_type:x_drawable *; -allow xserver_unconfined_type xserver_t:x_screen *; -allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type xcolormap_type:x_colormap *; -allow xserver_unconfined_type xproperty_type:x_property *; -allow xserver_unconfined_type xselection_type:x_selection *; -allow xserver_unconfined_type x_domain:x_cursor *; -allow xserver_unconfined_type x_domain:x_client *; -allow xserver_unconfined_type { x_domain xserver_t }:x_device *; -allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; -allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; -allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; +allow xserver_unconfined_type xserver_t:x_server { getattr setattr record debug grab manage }; +allow xserver_unconfined_type xdrawable_type:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive }; +allow xserver_unconfined_type xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show }; +allow xserver_unconfined_type x_domain:x_gc { create destroy getattr setattr use }; +allow xserver_unconfined_type xcolormap_type:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; +allow xserver_unconfined_type xproperty_type:x_property { create destroy read write append getattr setattr }; +allow xserver_unconfined_type xselection_type:x_selection { read write getattr setattr }; +allow xserver_unconfined_type x_domain:x_cursor { create destroy read write getattr setattr use }; +allow xserver_unconfined_type x_domain:x_client { destroy getattr setattr manage }; +allow xserver_unconfined_type { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; +allow xserver_unconfined_type { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; +allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; +allow xserver_unconfined_type xextension_type:x_extension { query use }; +allow xserver_unconfined_type { x_domain xserver_t }:x_resource { read write }; +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } { send receive }; ifdef(`distro_gentoo',` ######################################## |