diff options
Diffstat (limited to 'policy/modules/contrib/nx.te')
| -rw-r--r-- | policy/modules/contrib/nx.te | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/policy/modules/contrib/nx.te b/policy/modules/contrib/nx.te new file mode 100644 index 00000000..58e2972f --- /dev/null +++ b/policy/modules/contrib/nx.te @@ -0,0 +1,98 @@ +policy_module(nx, 1.6.0) + +######################################## +# +# Declarations +# + +type nx_server_t; +type nx_server_exec_t; +domain_type(nx_server_t) +domain_entry_file(nx_server_t, nx_server_exec_t) +domain_user_exemption_target(nx_server_t) +# we need an extra role because nxserver is called from sshd +# cjp: do we really need this? +role nx_server_r; +role nx_server_r types nx_server_t; +allow system_r nx_server_r; + +type nx_server_devpts_t; +term_user_pty(nx_server_t, nx_server_devpts_t) + +type nx_server_tmp_t; +files_tmp_file(nx_server_tmp_t) + +type nx_server_var_lib_t; +files_type(nx_server_var_lib_t) + +type nx_server_var_run_t; +files_pid_file(nx_server_var_run_t) + +######################################## +# +# NX server local policy +# + +allow nx_server_t self:fifo_file rw_fifo_file_perms; +allow nx_server_t self:tcp_socket create_socket_perms; +allow nx_server_t self:udp_socket create_socket_perms; + +allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(nx_server_t, nx_server_devpts_t) + +manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) +manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) +files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) + +manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) + +manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) +files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + +kernel_read_system_state(nx_server_t) +kernel_read_kernel_sysctls(nx_server_t) + +# nxserver is a shell script --> call other programs +corecmd_exec_shell(nx_server_t) +corecmd_exec_bin(nx_server_t) + +corenet_all_recvfrom_unlabeled(nx_server_t) +corenet_all_recvfrom_netlabel(nx_server_t) +corenet_tcp_sendrecv_generic_if(nx_server_t) +corenet_udp_sendrecv_generic_if(nx_server_t) +corenet_tcp_sendrecv_generic_node(nx_server_t) +corenet_udp_sendrecv_generic_node(nx_server_t) +corenet_tcp_sendrecv_all_ports(nx_server_t) +corenet_udp_sendrecv_all_ports(nx_server_t) +corenet_tcp_connect_all_ports(nx_server_t) +corenet_sendrecv_all_client_packets(nx_server_t) + +dev_read_urand(nx_server_t) + +files_read_etc_files(nx_server_t) +files_read_etc_runtime_files(nx_server_t) +# for reading the config files; maybe a separate type, +# but users need to be able to also read the config +files_read_usr_files(nx_server_t) + +miscfiles_read_localization(nx_server_t) + +seutil_dontaudit_search_config(nx_server_t) + +sysnet_read_config(nx_server_t) + +ifdef(`TODO',` +# clients already have create permissions; the nxclient wants to also have unlink rights +allow userdomain xdm_tmp_t:sock_file unlink; +# for a lockfile created by the client process +allow nx_server_t user_tmpfile:file getattr; +') + +######################################## +# +# SSH component local policy +# + +ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) |