Remove complement and wildcard in allow rules.

Remove complement (~) and wildcard (*) in allow rules so that there are no unintentional additions when new permissions are declared. This patch does not add or remove permissions from any rules.
author: Chris PeBenito <pebenito@ieee.org> 2017-08-13 16:21:44 -0400
committer: Luis Ressel <aranea@aixah.de> 2017-09-09 00:31:19 +0200
commit: 55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30 (patch)
tree: f1b83848b1b9a1e7c068766166c2a8bd81e24756 /policy/modules/services
parent: kernel: Module version bump for patch from Nicolas Iooss. (diff)
download: hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.gz
hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.bz2
hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.zip
5 files changed, 100 insertions, 82 deletions
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index e21ce738..f118d9d0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -243,29 +243,31 @@ tunable_policy(`sepgsql_transmit_client_label',`
 	allow postgresql_t self:process { setsockcreate };
 ')
 
-allow postgresql_t sepgsql_database_type:db_database *;
+allow postgresql_t sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param };
 
 allow postgresql_t sepgsql_module_type:db_database install_module;
 # Database/Loadable module
 allow sepgsql_database_type sepgsql_module_type:db_database load_module;
 
-allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *;
+allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ;
 type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t;
 type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
 
-allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
+allow postgresql_t sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock };
+allow postgresql_t sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert };
+allow postgresql_t sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete };
 type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t;
 
-allow postgresql_t sepgsql_sequence_type:db_sequence *;
+allow postgresql_t sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };
 type_transition postgresql_t sepgsql_schema_type:db_sequence sepgsql_seq_t;
 
-allow postgresql_t sepgsql_view_type:db_view *;
+allow postgresql_t sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };
 type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t;
 
-allow postgresql_t sepgsql_procedure_type:db_procedure *;
+allow postgresql_t sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install };
 type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
 
-allow postgresql_t sepgsql_blob_type:db_blob *;
+allow postgresql_t sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export };
 type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
 
 manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
@@ -486,7 +488,13 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
 dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
 
 # It is always allowed to operate temporary objects for any database client.
-allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+allow sepgsql_client_type sepgsql_temp_object_t:db_schema { create drop getattr setattr search add_name remove_name };
+allow sepgsql_client_type sepgsql_temp_object_t:db_table { create drop getattr setattr select update insert delete lock };
+allow sepgsql_client_type sepgsql_temp_object_t:db_column { create drop getattr setattr select update insert };
+allow sepgsql_client_type sepgsql_temp_object_t:db_tuple { use select update insert delete };
+allow sepgsql_client_type sepgsql_temp_object_t:db_sequence { create drop getattr setattr get_value next_value set_value };
+allow sepgsql_client_type sepgsql_temp_object_t:db_view { create drop getattr setattr expand };
+allow sepgsql_client_type sepgsql_temp_object_t:db_procedure { create drop getattr setattr execute entrypoint install };
 
 # Note that permission of creation/deletion are eventually controlled by
 # create or drop permission of individual objects within shared schemas.
@@ -525,7 +533,13 @@ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
 
 type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
 
-allow sepgsql_admin_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_schema { create drop getattr setattr search add_name remove_name };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_table { create drop getattr setattr select update insert delete lock };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_column { create drop getattr setattr select update insert };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_tuple { use select update insert delete };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_sequence { create drop getattr setattr get_value next_value set_value };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_view { create drop getattr setattr expand };
+allow sepgsql_admin_type sepgsql_temp_object_t:db_procedure { create drop getattr setattr execute entrypoint install };
 
 allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };
 
@@ -540,21 +554,23 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
 kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
 
 tunable_policy(`sepgsql_unconfined_dbadm',`
-	allow sepgsql_admin_type sepgsql_database_type:db_database *;
+	allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param };
 
-	allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
+	allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };
 
-	allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
-	allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *;
-	allow sepgsql_admin_type sepgsql_view_type:db_view *;
+	allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock };
+	allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert };
+	allow sepgsql_admin_type sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete };
+	allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };
+	allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };
 
-	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
-	allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~install;
-	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
+	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install };
+	allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint };
+	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto entrypoint };
 
-	allow sepgsql_admin_type sepgsql_language_type:db_language ~implement;
+	allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };
 
-	allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
+	allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export };
 ')
 
 ########################################
@@ -562,9 +578,9 @@ tunable_policy(`sepgsql_unconfined_dbadm',`
 # Unconfined access to this module
 #
 
-allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
+allow sepgsql_unconfined_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param };
 
-allow sepgsql_unconfined_type {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *;
+allow sepgsql_unconfined_type { sepgsql_schema_type sepgsql_temp_object_t }:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };
 type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;
 type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
 
@@ -575,19 +591,21 @@ type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql
 type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t;
 type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
 
-allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
-allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *;
-allow sepgsql_unconfined_type sepgsql_view_type:db_view *;
+allow sepgsql_unconfined_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock };
+allow sepgsql_unconfined_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert };
+allow sepgsql_unconfined_type sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete };
+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };
+allow sepgsql_unconfined_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };
 
 # unconfined domain is not allowed to invoke user defined procedure directly.
 # They have to confirm and relabel it at first.
-allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
-allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure ~install;
-allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
+allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install };
+allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint };
+allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto entrypoint };
 
-allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;
+allow sepgsql_unconfined_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };
 
-allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+allow sepgsql_unconfined_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export };
 
 allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
 
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 1a428c39..aa906680 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -57,7 +57,7 @@ template(`ssh_basic_client_template',`
 	#
 
 	allow $1_ssh_t self:capability { dac_override dac_read_search setgid setuid };
-	allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 	allow $1_ssh_t self:fd use;
 	allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
 	allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 153376ec..32f09f80 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -100,7 +100,7 @@ ifdef(`distro_debian',`
 #
 
 allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
-allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c0373a44..d14bf3c0 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1511,7 +1511,7 @@ interface(`xserver_manage_core_devices',`
 		class x_keyboard all_x_keyboard_perms;
 	')
 
-	allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+	allow $1 xserver_t:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
 ')
 
 ########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 380167a7..a88e4af5 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -646,7 +646,7 @@ allow xserver_t input_xevent_t:x_event send;
 allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:capability2 wake_alarm;
-allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow xserver_t self:process { fork transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
 allow xserver_t self:sock_file read_sock_file_perms;
@@ -791,21 +791,21 @@ tunable_policy(`!xserver_object_manager',`
 	# should be xserver_unconfined(xserver_t),
 	# but typeattribute doesnt work in conditionals
 
-	allow xserver_t xserver_t:x_server *;
-	allow xserver_t { x_domain root_xdrawable_t }:x_drawable *;
-	allow xserver_t xserver_t:x_screen *;
-	allow xserver_t x_domain:x_gc *;
-	allow xserver_t { x_domain root_xcolormap_t }:x_colormap *;
-	allow xserver_t xproperty_type:x_property *;
-	allow xserver_t xselection_type:x_selection *;
-	allow xserver_t x_domain:x_cursor *;
-	allow xserver_t x_domain:x_client *;
-	allow xserver_t { x_domain xserver_t }:x_device *;
-	allow xserver_t { x_domain xserver_t }:x_pointer *;
-	allow xserver_t { x_domain xserver_t }:x_keyboard *;
-	allow xserver_t xextension_type:x_extension *;
-	allow xserver_t { x_domain xserver_t }:x_resource *;
-	allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
+	allow xserver_t xserver_t:x_server { getattr setattr record debug grab manage };
+	allow xserver_t { x_domain root_xdrawable_t }:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive };
+	allow xserver_t xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
+	allow xserver_t x_domain:x_gc { create destroy getattr setattr use };
+	allow xserver_t { x_domain root_xcolormap_t }:x_colormap { create destroy read write getattr add_color remove_color install uninstall use };
+	allow xserver_t xproperty_type:x_property { create destroy read write append getattr setattr };
+	allow xserver_t xselection_type:x_selection { read write getattr setattr };
+	allow xserver_t x_domain:x_cursor { create destroy read write getattr setattr use };
+	allow xserver_t x_domain:x_client { destroy getattr setattr manage };
+	allow xserver_t { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+	allow xserver_t { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+	allow xserver_t { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+	allow xserver_t xextension_type:x_extension { query use };
+	allow xserver_t { x_domain xserver_t }:x_resource { read write };
+	allow xserver_t xevent_type:{ x_event x_synthetic_event } { send receive };
 ')
 
 optional_policy(`
@@ -946,11 +946,11 @@ allow x_domain x_domain:x_drawable { getattr get_property set_property remove_ch
 # can use the default colormap
 allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall };
 # can create and use colormaps
-allow x_domain self:x_colormap *;
+allow x_domain self:x_colormap { create destroy read write getattr add_color remove_color install uninstall use };
 
 # X Devices
 # operations allowed on my own devices
-allow x_domain self:{ x_device x_pointer x_keyboard } *;
+allow x_domain self:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
 # operations allowed on generic devices
 allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
 # operations allowed on core keyboard
@@ -984,9 +984,9 @@ allow x_domain xselection_t:x_selection { getattr setattr read };
 
 # Other X Objects
 # can create and use cursors
-allow x_domain self:x_cursor *;
+allow x_domain self:x_cursor { create destroy read write getattr setattr use };
 # can create and use graphics contexts
-allow x_domain self:x_gc *;
+allow x_domain self:x_gc { create destroy getattr setattr use };
 # can read and write own objects
 allow x_domain self:x_resource { read write };
 # can mess with the screensaver
@@ -1001,38 +1001,38 @@ tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
 
-	allow x_domain xserver_t:x_server *;
-	allow x_domain xdrawable_type:x_drawable *;
-	allow x_domain xserver_t:x_screen *;
-	allow x_domain x_domain:x_gc *;
-	allow x_domain xcolormap_type:x_colormap *;
-	allow x_domain xproperty_type:x_property *;
-	allow x_domain xselection_type:x_selection *;
-	allow x_domain x_domain:x_cursor *;
-	allow x_domain x_domain:x_client *;
-	allow x_domain { x_domain xserver_t }:x_device *;
-	allow x_domain { x_domain xserver_t }:x_pointer *;
-	allow x_domain { x_domain xserver_t }:x_keyboard *;
-	allow x_domain xextension_type:x_extension *;
-	allow x_domain { x_domain xserver_t }:x_resource *;
-	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
+	allow x_domain xserver_t:x_server { getattr setattr record debug grab manage };
+	allow x_domain xdrawable_type:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive };
+	allow x_domain xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
+	allow x_domain x_domain:x_gc { create destroy getattr setattr use };
+	allow x_domain xcolormap_type:x_colormap { create destroy read write getattr add_color remove_color install uninstall use };
+	allow x_domain xproperty_type:x_property { create destroy read write append getattr setattr };
+	allow x_domain xselection_type:x_selection { read write getattr setattr };
+	allow x_domain x_domain:x_cursor { create destroy read write getattr setattr use };
+	allow x_domain x_domain:x_client { destroy getattr setattr manage };
+	allow x_domain { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+	allow x_domain { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+	allow x_domain { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+	allow x_domain xextension_type:x_extension { query use };
+	allow x_domain { x_domain xserver_t }:x_resource { read write };
+	allow x_domain xevent_type:{ x_event x_synthetic_event } { send receive };
 ')
 
-allow xserver_unconfined_type xserver_t:x_server *;
-allow xserver_unconfined_type xdrawable_type:x_drawable *;
-allow xserver_unconfined_type xserver_t:x_screen *;
-allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type xcolormap_type:x_colormap *;
-allow xserver_unconfined_type xproperty_type:x_property *;
-allow xserver_unconfined_type xselection_type:x_selection *;
-allow xserver_unconfined_type x_domain:x_cursor *;
-allow xserver_unconfined_type x_domain:x_client *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+allow xserver_unconfined_type xserver_t:x_server { getattr setattr record debug grab manage };
+allow xserver_unconfined_type xdrawable_type:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive };
+allow xserver_unconfined_type xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
+allow xserver_unconfined_type x_domain:x_gc { create destroy getattr setattr use };
+allow xserver_unconfined_type xcolormap_type:x_colormap { create destroy read write getattr add_color remove_color install uninstall use };
+allow xserver_unconfined_type xproperty_type:x_property { create destroy read write append getattr setattr };
+allow xserver_unconfined_type xselection_type:x_selection { read write getattr setattr };
+allow xserver_unconfined_type x_domain:x_cursor { create destroy read write getattr setattr use };
+allow xserver_unconfined_type x_domain:x_client { destroy getattr setattr manage };
+allow xserver_unconfined_type { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy };
+allow xserver_unconfined_type xextension_type:x_extension { query use };
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource { read write };
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } { send receive };
 
 ifdef(`distro_gentoo',`
 	########################################
author	Chris PeBenito <pebenito@ieee.org>	2017-08-13 16:21:44 -0400
committer	Luis Ressel <aranea@aixah.de>	2017-09-09 00:31:19 +0200
commit	55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30 (patch)
tree	f1b83848b1b9a1e7c068766166c2a8bd81e24756 /policy/modules/services
parent	kernel: Module version bump for patch from Nicolas Iooss. (diff)
download	hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.gz hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.tar.bz2 hardened-refpolicy-55a7d76dd8b6ddc679db0aa67cf3bbbf45fa4b30.zip