X Windows Server
Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic X client application.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Client domain allowed access. | No |
Create a named socket in a XDM temporary directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to write the X server log files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Execute the X server in the XDM X server domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
dontaudit getattr xdm temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
dontaudit getattr xdm temporary named sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Do not audit attempts to read xdm temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Do not audit attempts to read and write XDM unnamed pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to read and write xdm_xserver unix domain stream sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to read and write to a XDM X server socket.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Do not audit attempts to inherit XDM file descriptors.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to write the X server log files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Execute xserver files created in /var/run
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of X server logs.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of xauth executable
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Kill XDM X servers
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Create, read, write, and delete xdm temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Read xserver files created in /var/run
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read XDM var lib files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read XDM pid files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read xdm-writable configuration files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read xdm temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Read xdm temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Read X keyboard extension libraries.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Execute xsever in the xdm_xserver domain, and allow the specified role the xdm_xserver domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the process performing this action. | No |
role |
The role to be allowed the xdm_xserver domain. | No |
terminal |
The type of the terminal allow the xdm_xserver domain to use. | No |
Read and write the X windows console named pipe.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write X server Sys V Shared memory segments.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write XDM unnamed pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read write xdm temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Set the attributes of the X windows console named pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Set the attributes of XDM temporary directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Signal XDM X servers
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Connect to apmd over an unix stream socket.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Connect to XDM over a unix domain stream socket.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Connect to xdm_xserver over a unix domain stream socket.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all users fonts, user font configurations, and manage all users font caches.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Use file descriptors for xdm.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Write xserver files created in /var/run
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
xdm xserver RW shared memory socket.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Sigchld XDM
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit | No |
Connect to apmd over an unix stream socket.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make an X session script an entrypoint for the specified domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The domain for which the shell is an entrypoint. | No |
Execute an X session in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
Execute an Xsession in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
target_domain |
The type of the shell process. | No |
Template to create types and rules common to all X server domains.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the domain (e.g., user is the prefix for user_t). | No |
Transition to a user Xauthority domain.
Transition to a user Xauthority domain.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
The per role template for the xserver module.
Define a derived domain for the X server when executed by a user domain (e.g. via startx). See the xdm module if using an X Display Manager.
This is invoked automatically for each user and generally does not need to be invoked directly by policy writers.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
user_domain |
The type of the user domain. | No |
user_role |
The role associated with the user domain. | No |
Read a user Iceauthority domain.
read to a user Iceauthority domain.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read a user Xauthority domain.
read to a user Xauthority domain.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Template for creating sessions on a prefix X server, with read-only access to the X server shared memory segments.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
tmpfs_type |
The type of the domain SYSV tmpfs files. | No |
Template for creating sessions on a prefix X server, with read and write access to the X server shared memory segments.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
tmpfs_type |
The type of the domain SYSV tmpfs files. | No |
Read user fonts, user font configuration, and manage the user font cache.
Read user fonts, user font configuration, and manage the user font cache.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Template for creating full client sessions on a user X server.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
tmpfs_type |
The type of the domain SYSV tmpfs files. | No |
Transition to a user Xauthority domain.
Transition to a user Xauthority domain.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |