[people/stevee/selinux-policy.git] / policy / modules / services / nx.te

policy_module(nx, 1.5.0)

########################################
#
# Declarations
#

type nx_server_t;
type nx_server_exec_t;
domain_type(nx_server_t)
domain_entry_file(nx_server_t, nx_server_exec_t)
domain_user_exemption_target(nx_server_t)
# we need an extra role because nxserver is called from sshd
# cjp: do we really need this?
role nx_server_r;
role nx_server_r types nx_server_t;
allow system_r nx_server_r;

type nx_server_devpts_t;
term_user_pty(nx_server_t, nx_server_devpts_t)

type nx_server_tmp_t;
files_tmp_file(nx_server_tmp_t)

type nx_server_var_lib_t;
files_type(nx_server_var_lib_t)

type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)

type nx_server_home_ssh_t;
files_type(nx_server_home_ssh_t)

########################################
#
# NX server local policy
#

allow nx_server_t self:fifo_file rw_fifo_file_perms;
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;

allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(nx_server_t, nx_server_devpts_t)

manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })

manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })

manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)

manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)

kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)

# nxserver is a shell script --> call other programs
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)

corenet_all_recvfrom_unlabeled(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_generic_node(nx_server_t)
corenet_udp_sendrecv_generic_node(nx_server_t)
corenet_tcp_sendrecv_all_ports(nx_server_t)
corenet_udp_sendrecv_all_ports(nx_server_t)
corenet_tcp_connect_all_ports(nx_server_t)
corenet_sendrecv_all_client_packets(nx_server_t)

dev_read_urand(nx_server_t)

files_read_etc_files(nx_server_t)
files_read_etc_runtime_files(nx_server_t)
# for reading the config files; maybe a separate type, 
# but users need to be able to also read the config
files_read_usr_files(nx_server_t)

miscfiles_read_localization(nx_server_t)

seutil_dontaudit_search_config(nx_server_t)

sysnet_read_config(nx_server_t)

ifdef(`TODO',`
	# clients already have create permissions; the nxclient wants to also have unlink rights
	allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
	# for a lockfile created by the client process
	allow nx_server_t user_tmpfile:file getattr_file_perms;
')

########################################
#
# SSH component local policy
#

ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
Commit	Line	Data
29af4c13	1	policy_module(nx, 1.5.0)
6bd44948 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type nx_server_t;
	9	type nx_server_exec_t;
	10	domain_type(nx_server_t)
0bfccda4	11	domain_entry_file(nx_server_t, nx_server_exec_t)
6bd44948 CP	12	domain_user_exemption_target(nx_server_t)
	13	# we need an extra role because nxserver is called from sshd
	14	# cjp: do we really need this?
95662e80	15	role nx_server_r;
6bd44948 CP	16	role nx_server_r types nx_server_t;
	17	allow system_r nx_server_r;
	18
	19	type nx_server_devpts_t;
0bfccda4	20	term_user_pty(nx_server_t, nx_server_devpts_t)
6bd44948 CP	21
	22	type nx_server_tmp_t;
	23	files_tmp_file(nx_server_tmp_t)
	24
316cdb1d JS	25	type nx_server_var_lib_t;
	26	files_type(nx_server_var_lib_t)
	27
6bd44948 CP	28	type nx_server_var_run_t;
	29	files_pid_file(nx_server_var_run_t)
	30
3eaa9939 DW	31	type nx_server_home_ssh_t;
	32	files_type(nx_server_home_ssh_t)
	33
6bd44948 CP	34	########################################
	35	#
	36	# NX server local policy
	37	#
	38
0b36a214	39	allow nx_server_t self:fifo_file rw_fifo_file_perms;
6bd44948 CP	40	allow nx_server_t self:tcp_socket create_socket_perms;
	41	allow nx_server_t self:udp_socket create_socket_perms;
	42
0f7c4002	43	allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
3f67f722	44	term_create_pty(nx_server_t, nx_server_devpts_t)
6bd44948	45
0bfccda4 CP	46	manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
0bfccda4 CP	47	manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
6bd44948 CP	48	files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
6bd44948 CP	49
316cdb1d JS	50	manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
	51	manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
	52	files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
	53
0bfccda4 CP	54	manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
0bfccda4 CP	55	files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
6bd44948	56
3eaa9939 DW	57	manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
	58	manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
	59
6bd44948 CP	60	kernel_read_system_state(nx_server_t)
	61	kernel_read_kernel_sysctls(nx_server_t)
	62
	63	# nxserver is a shell script --> call other programs
	64	corecmd_exec_shell(nx_server_t)
	65	corecmd_exec_bin(nx_server_t)
	66
19006686 CP	67	corenet_all_recvfrom_unlabeled(nx_server_t)
19006686 CP	68	corenet_all_recvfrom_netlabel(nx_server_t)
6bd44948 CP	69	corenet_tcp_sendrecv_generic_if(nx_server_t)
6bd44948 CP	70	corenet_udp_sendrecv_generic_if(nx_server_t)
c1262146 CP	71	corenet_tcp_sendrecv_generic_node(nx_server_t)
c1262146 CP	72	corenet_udp_sendrecv_generic_node(nx_server_t)
6bd44948 CP	73	corenet_tcp_sendrecv_all_ports(nx_server_t)
	74	corenet_udp_sendrecv_all_ports(nx_server_t)
	75	corenet_tcp_connect_all_ports(nx_server_t)
141cffdd	76	corenet_sendrecv_all_client_packets(nx_server_t)
6bd44948 CP	77
	78	dev_read_urand(nx_server_t)
	79
	80	files_read_etc_files(nx_server_t)
	81	files_read_etc_runtime_files(nx_server_t)
	82	# for reading the config files; maybe a separate type,
	83	# but users need to be able to also read the config
	84	files_read_usr_files(nx_server_t)
	85
6bd44948 CP	86	miscfiles_read_localization(nx_server_t)
	87
	88	seutil_dontaudit_search_config(nx_server_t)
	89
	90	sysnet_read_config(nx_server_t)
	91
	92	ifdef(`TODO',`
18f2a72d DG	93	# clients already have create permissions; the nxclient wants to also have unlink rights
	94	allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
	95	# for a lockfile created by the client process
	96	allow nx_server_t user_tmpfile:file getattr_file_perms;
6bd44948 CP	97	')
	98
	99	########################################
	100	#
	101	# SSH component local policy
	102	#
	103
0bfccda4	104	ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)