/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-
-/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_ssh_home_t,s0)
-
+/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+
+########################################
+## <summary>
+## Read nx home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+## <summary>
+## Read nx /var/lib content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_search_var_lib',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the root directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`nx_var_lib_filetrans',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
type nx_server_tmp_t;
files_tmp_file(nx_server_tmp_t)
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(nx_server_t, nx_server_devpts_t)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)