]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(nx, 1.5.0) |
6bd44948 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type nx_server_t; | |
9 | type nx_server_exec_t; | |
10 | domain_type(nx_server_t) | |
0bfccda4 | 11 | domain_entry_file(nx_server_t, nx_server_exec_t) |
6bd44948 CP |
12 | domain_user_exemption_target(nx_server_t) |
13 | # we need an extra role because nxserver is called from sshd | |
14 | # cjp: do we really need this? | |
95662e80 | 15 | role nx_server_r; |
6bd44948 CP |
16 | role nx_server_r types nx_server_t; |
17 | allow system_r nx_server_r; | |
18 | ||
19 | type nx_server_devpts_t; | |
0bfccda4 | 20 | term_user_pty(nx_server_t, nx_server_devpts_t) |
6bd44948 CP |
21 | |
22 | type nx_server_tmp_t; | |
23 | files_tmp_file(nx_server_tmp_t) | |
24 | ||
316cdb1d JS |
25 | type nx_server_var_lib_t; |
26 | files_type(nx_server_var_lib_t) | |
27 | ||
6bd44948 CP |
28 | type nx_server_var_run_t; |
29 | files_pid_file(nx_server_var_run_t) | |
30 | ||
3eaa9939 DW |
31 | type nx_server_home_ssh_t; |
32 | files_type(nx_server_home_ssh_t) | |
33 | ||
6bd44948 CP |
34 | ######################################## |
35 | # | |
36 | # NX server local policy | |
37 | # | |
38 | ||
0b36a214 | 39 | allow nx_server_t self:fifo_file rw_fifo_file_perms; |
6bd44948 CP |
40 | allow nx_server_t self:tcp_socket create_socket_perms; |
41 | allow nx_server_t self:udp_socket create_socket_perms; | |
42 | ||
0f7c4002 | 43 | allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; |
3f67f722 | 44 | term_create_pty(nx_server_t, nx_server_devpts_t) |
6bd44948 | 45 | |
0bfccda4 CP |
46 | manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) |
47 | manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) | |
6bd44948 CP |
48 | files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) |
49 | ||
316cdb1d JS |
50 | manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) |
51 | manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) | |
52 | files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) | |
53 | ||
0bfccda4 CP |
54 | manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) |
55 | files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) | |
6bd44948 | 56 | |
3eaa9939 DW |
57 | manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) |
58 | manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) | |
59 | ||
6bd44948 CP |
60 | kernel_read_system_state(nx_server_t) |
61 | kernel_read_kernel_sysctls(nx_server_t) | |
62 | ||
63 | # nxserver is a shell script --> call other programs | |
64 | corecmd_exec_shell(nx_server_t) | |
65 | corecmd_exec_bin(nx_server_t) | |
66 | ||
19006686 CP |
67 | corenet_all_recvfrom_unlabeled(nx_server_t) |
68 | corenet_all_recvfrom_netlabel(nx_server_t) | |
6bd44948 CP |
69 | corenet_tcp_sendrecv_generic_if(nx_server_t) |
70 | corenet_udp_sendrecv_generic_if(nx_server_t) | |
c1262146 CP |
71 | corenet_tcp_sendrecv_generic_node(nx_server_t) |
72 | corenet_udp_sendrecv_generic_node(nx_server_t) | |
6bd44948 CP |
73 | corenet_tcp_sendrecv_all_ports(nx_server_t) |
74 | corenet_udp_sendrecv_all_ports(nx_server_t) | |
75 | corenet_tcp_connect_all_ports(nx_server_t) | |
141cffdd | 76 | corenet_sendrecv_all_client_packets(nx_server_t) |
6bd44948 CP |
77 | |
78 | dev_read_urand(nx_server_t) | |
79 | ||
80 | files_read_etc_files(nx_server_t) | |
81 | files_read_etc_runtime_files(nx_server_t) | |
82 | # for reading the config files; maybe a separate type, | |
83 | # but users need to be able to also read the config | |
84 | files_read_usr_files(nx_server_t) | |
85 | ||
6bd44948 CP |
86 | miscfiles_read_localization(nx_server_t) |
87 | ||
88 | seutil_dontaudit_search_config(nx_server_t) | |
89 | ||
90 | sysnet_read_config(nx_server_t) | |
91 | ||
92 | ifdef(`TODO',` | |
18f2a72d DG |
93 | # clients already have create permissions; the nxclient wants to also have unlink rights |
94 | allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms; | |
95 | # for a lockfile created by the client process | |
96 | allow nx_server_t user_tmpfile:file getattr_file_perms; | |
6bd44948 CP |
97 | ') |
98 | ||
99 | ######################################## | |
100 | # | |
101 | # SSH component local policy | |
102 | # | |
103 | ||
0bfccda4 | 104 | ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) |