diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc index ce8d0b3a..c4d2dca8 100644 --- a/policy/modules/services/nx.fc +++ b/policy/modules/services/nx.fc @@ -1,7 +1,12 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) - -/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_ssh_home_t,s0) - +/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) + +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if index 0ab8cbc0..ccc68c75 100644 --- a/policy/modules/services/nx.if +++ b/policy/modules/services/nx.if @@ -17,3 +17,69 @@ interface(`nx_spec_domtrans_server',` spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) ') + +######################################## +## +## Read nx home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`nx_read_home_files',` + gen_require(` + type nx_server_home_ssh_t, nx_server_var_lib_t; + ') + + allow $1 nx_server_var_lib_t:dir search_dir_perms; + read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) +') + +######################################## +## +## Read nx /var/lib content +## +## +## +## Domain allowed access. +## +## +# +interface(`nx_search_var_lib',` + gen_require(` + type nx_server_var_lib_t; + ') + + allow $1 nx_server_var_lib_t:dir search_dir_perms; +') + +######################################## +## +## Create an object in the root directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`nx_var_lib_filetrans',` + gen_require(` + type nx_server_var_lib_t; + ') + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index d7a15ea4..c6b8ae05 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -22,6 +22,9 @@ term_user_pty(nx_server_t, nx_server_devpts_t) type nx_server_tmp_t; files_tmp_file(nx_server_tmp_t) +type nx_server_var_lib_t; +files_type(nx_server_var_lib_t) + type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -37,10 +40,17 @@ allow nx_server_t self:udp_socket create_socket_perms; allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(nx_server_t, nx_server_devpts_t) +manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) +manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) + manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) +manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) + manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)