1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
policy_module(wm, 1.8.1)
########################################
#
# Declarations
#
attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
type wm_tmp_t;
userdom_user_tmp_file(wm_tmp_t)
type wm_tmpfs_t;
userdom_user_tmpfs_file(wm_tmpfs_t)
optional_policy(`
pulseaudio_tmpfs_content(wm_tmpfs_t)
')
########################################
#
# Common wm domain local policy
#
allow wm_domain self:fifo_file rw_fifo_file_perms;
allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
can_exec(wm_domain, wm_exec_t)
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
files_read_etc_runtime_files(wm_domain)
files_map_usr_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
locallogin_dontaudit_use_fds(wm_domain)
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
selinux_get_enforce_mode(wm_domain)
seutil_read_config(wm_domain)
udev_read_pid_files(wm_domain)
# the following is needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
# to print error messages
userdom_use_inherited_user_terminals(wm_domain)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
wm_dontaudit_exec_tmp_files(wm_domain)
wm_dontaudit_exec_tmpfs_files(wm_domain)
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
optional_policy(`
bluetooth_dbus_chat(wm_domain)
')
optional_policy(`
consolekit_dbus_chat(wm_domain)
')
optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
evolution_dbus_chat(wm_domain)
evolution_alarm_dbus_chat(wm_domain)
')
optional_policy(`
games_dbus_chat(wm_domain)
')
optional_policy(`
# gnome-shell
mount_exec(wm_domain)
')
optional_policy(`
mozilla_dbus_chat(wm_domain)
')
optional_policy(`
networkmanager_dbus_chat(wm_domain)
networkmanager_read_etc_files(wm_domain)
')
optional_policy(`
policykit_dbus_chat(wm_domain)
')
optional_policy(`
telepathy_mission_control_dbus_chat(wm_domain)
')
optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
xserver_rw_xsession_log(wm_domain)
')
|
GitWeb