Layer: services

Module: xserver

Tunables Interfaces Templates

Description:

X Windows Server

Tunables:

allow_write_xshm

Default value

false

Description

Allows clients to write to the X server shared memory segments.

xdm_sysadm_login

Default value

false

Description

Allow xdm logins as sysadm

xserver_allow_dri

Default value

false

Description

Allow DRI access

xserver_gnome_xdm

Default value

false

Description

Use gnome-shell in gdm mode as the X Display Manager (XDM)

xserver_object_manager

Default value

false

Description

Support X userspace object manager

Return

Interfaces:

xserver_create_console_pipes(
	
		domain
		
	)

Summary

Create the X windows console named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_create_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Create xdm temporary directories.

Parameters

Parameter:	Description:
domain	Domain to allow access.

xserver_create_xdm_tmp_sockets(
	
		domain
		
	)

Summary

Create a named socket in a XDM temporary directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_dbus_chat(
	
		domain
		
	)

Summary

talk to xserver_t by dbus

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_dbus_chat_xdm(
	
		domain
		
	)

Summary

Send and receive messages from xdm over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_delete_log(
	
		domain
		
	)

Summary

Delete X server log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_delete_xdm_tmp_sockets(
	
		domain
		
	)

Summary

Delete a named socket in a XDM temporary directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_domtrans(
	
		domain
		
	)

Summary

Execute the X server in the X server domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

xserver_domtrans_xauth(
	
		domain
		
	)

Summary

Transition to the Xauthority domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

xserver_dontaudit_getattr_xdm_tmp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of xdm temporary named sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_read_xdm_tmp_files(
	
		domain
		
	)

Summary

Do not audit attempts to read xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_rw_stream_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read and write X server unix domain stream sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_rw_tcp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read and write to X server sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_rw_xdm_pipes(
	
		domain
		
	)

Summary

Do not audit attempts to read and write XDM unnamed pipes.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_use_xdm_fds(
	
		domain
		
	)

Summary

Do not audit attempts to inherit XDM file descriptors.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_dontaudit_write_log(
	
		domain
		
	)

Summary

Do not audit attempts to write the X server log files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

xserver_getattr_log(
	
		domain
		
	)

Summary

Get the attributes of X server logs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_kill(
	
		domain
		
	)

Summary

Kill X servers

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_link_xdm_keys(
	
		domain
		
	)

Summary

Manage keys for xdm.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_list_xdm_tmp(
	
		domain
		
	)

Summary

list xdm_tmp_t directories

Parameters

Parameter:	Description:
domain	Domain to allow

xserver_manage_core_devices(
	
		domain
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Gives the domain permission to read the virtual core keyboard and virtual core pointer devices.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_mesa_shader_cache(
	
		domain
		
	)

Summary

Manage the mesa shader cache.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_xdm_tmp_files(
	
		domain
		
	)

Summary

Create, read, write, and delete xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_manage_xsession_log(
	
		domain
		
	)

Summary

Manage xsession log files such as .xsession-errors.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_non_drawing_client(
	
		domain
		
	)

Summary

Create non-drawing client sessions on an X server.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_state(
	
		domain
		
	)

Summary

Allow reading xserver_t files to get cgroup and sessionid

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_tmp_files(
	
		domain
		
	)

Summary

Read X server temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_user_dmrc(
	
		domain
		
	)

Summary

Read all users .dmrc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_user_iceauth(
	
		domain
		
	)

Summary

Read all users .ICEauthority.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_user_xauth(
	
		domain
		
	)

Summary

Read all users .Xauthority.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_lib_files(
	
		domain
		
	)

Summary

Read XDM var lib files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_runtime_files(
	
		domain
		
	)

Summary

Read XDM runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_rw_config(
	
		domain
		
	)

Summary

Read xdm-writable configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_state(
	
		domain
		
	)

Summary

Read xdm process state files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xdm_tmp_files(
	
		domain
		
	)

Summary

Read xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_read_xkb_libs(
	
		domain
		
	)

Summary

Read X keyboard extension libraries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_relabel_console_pipes(
	
		domain
		
	)

Summary

relabel the X windows console named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_ro_session(
	
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Create sessions on the X server, with read-only access to the X server shared memory segments.

Parameters

Parameter:	Description:
domain	Domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

xserver_rw_console(
	
		domain
		
	)

Summary

Read and write the X windows console named pipe.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_mesa_shader_cache(
	
		domain
		
	)

Summary

Read and write the mesa shader cache.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_session(
	
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Create sessions on the X server, with read and write access to the X server shared memory segments.

Parameters

Parameter:	Description:
domain	Domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

xserver_rw_shm(
	
		domain
		
	)

Summary

Read and write X server Sys V Shared memory segments.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xdm_keys(
	
		domain
		
	)

Summary

Manage keys for xdm.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xdm_pipes(
	
		domain
		
	)

Summary

Read and write XDM unnamed pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xdm_tmp_files(
	
		domain
		
	)

Summary

Read write xdm temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_rw_xsession_log(
	
		domain
		
	)

Summary

Read and write xsession log files such as .xsession-errors.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_setattr_console_pipes(
	
		domain
		
	)

Summary

Set the attributes of the X windows console named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_setattr_xdm_tmp_dirs(
	
		domain
		
	)

Summary

Set the attributes of XDM temporary directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_setsched_xdm(
	
		domain
		
	)

Summary

Set the priority of the X Display Manager (XDM).

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_sigchld_xdm(
	
		domain
		
	)

Summary

Allow domain to send sigchld to xdm_t

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_signal(
	
		domain
		
	)

Summary

Signal X servers

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_stream_connect(
	
		domain
		
	)

Summary

Connect to the X server over a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_stream_connect_xdm(
	
		domain
		
	)

Summary

Connect to XDM over a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_unconfined(
	
		domain
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Gives the domain complete control over the display.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_use_user_fonts(
	
		domain
		
	)

Summary

Read user fonts, user font configuration, and manage the user font cache.

Description

Read user fonts, user font configuration, and manage the user font cache.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_use_xdm_fds(
	
		domain
		
	)

Summary

Use file descriptors for xdm.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_user_home_dir_filetrans_user_iceauth(
	
		domain
		
			,
		
		name
		
	)

Summary

Create a ICEauthority file in the user home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.
name	The name of the object being created.

xserver_user_home_dir_filetrans_user_xauth(
	
		domain
		
			,
		
		name
		
	)

Summary

Create a Xauthority file in the user home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.
name	The name of the object being created.

xserver_user_home_dir_filetrans_user_xsession_log(
	
		domain
		
	)

Summary

Create a .xsession-errors log file in the user home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_write_inherited_log(
	
		domain
		
	)

Summary

Write to inherited X server log files like /var/log/lightdm/lightdm.log

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_write_inherited_xsession_log(
	
		domain
		
	)

Summary

Write to inherited xsession log files such as .xsession-errors.

Parameters

Parameter:	Description:
domain	Domain allowed access.

xserver_xsession_entry_type(
	
		domain
		
	)

Summary

Make an X session script an entrypoint for the specified domain.

Parameters

Parameter:	Description:
domain	The domain for which the shell is an entrypoint.

xserver_xsession_spec_domtrans(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute an X session in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

Description

Execute an Xsession in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the shell process.

Return

Templates:

xserver_common_x_domain_template(
	
		prefix
		
			,
		
		domain
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic X client application.

Parameters

Parameter:	Description:
prefix	The prefix of the X client domain (e.g., user is the prefix for user_t).
domain	Client domain allowed access.

xserver_object_types_template(
	
		prefix
		
	)

Summary

Template for creating the set of types used in an X windows domain.

Parameters

Parameter:	Description:
prefix	The prefix of the X client domain (e.g., user is the prefix for user_t).

xserver_restricted_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Rules required for using the X Windows server and environment, for restricted users.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access

xserver_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Rules required for using the X Windows server and environment.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access

xserver_user_x_domain_template(
	
		prefix
		
			,
		
		domain
		
			,
		
		tmpfs_type
		
	)

Summary

Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic X client application.

Parameters

Parameter:	Description:
prefix	The prefix of the X client domain (e.g., user is the prefix for user_t).
domain	Client domain allowed access.
tmpfs_type	The type of the domain SYSV tmpfs files.

Return