policy_module(nx,1.0.1)

########################################
#
# Declarations
#

type nx_server_t;
type nx_server_exec_t;
domain_type(nx_server_t)
domain_entry_file(nx_server_t,nx_server_exec_t)
domain_user_exemption_target(nx_server_t)
# we need an extra role because nxserver is called from sshd
# cjp: do we really need this?
role nx_server_r types nx_server_t;
allow system_r nx_server_r;

type nx_server_devpts_t;
term_user_pty(nx_server_t,nx_server_devpts_t)

type nx_server_tmp_t;
files_tmp_file(nx_server_tmp_t)

type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)

########################################
#
# NX server local policy
#

allow nx_server_t self:fifo_file { getattr ioctl read write };
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;

allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty(nx_server_t,nx_server_devpts_t)

allow nx_server_t nx_server_tmp_t:dir manage_dir_perms;
allow nx_server_t nx_server_tmp_t:file manage_file_perms;
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })

allow nx_server_t nx_server_var_run_t:file manage_file_perms;
allow nx_server_t nx_server_var_run_t:dir rw_dir_perms;
files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)

kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)

# nxserver is a shell script --> call other programs
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)

corenet_non_ipsec_sendrecv(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_all_nodes(nx_server_t)
corenet_udp_sendrecv_all_nodes(nx_server_t)
corenet_tcp_sendrecv_all_ports(nx_server_t)
corenet_udp_sendrecv_all_ports(nx_server_t)
corenet_tcp_connect_all_ports(nx_server_t)
corenet_sendrecv_all_client_packets(nx_server_t)

dev_read_urand(nx_server_t)

files_read_etc_files(nx_server_t)
files_read_etc_runtime_files(nx_server_t)
# for reading the config files; maybe a separate type, 
# but users need to be able to also read the config
files_read_usr_files(nx_server_t)

libs_use_ld_so(nx_server_t)
libs_use_shared_libs(nx_server_t)

miscfiles_read_localization(nx_server_t)

seutil_dontaudit_search_config(nx_server_t)

sysnet_read_config(nx_server_t)

ifdef(`TODO',`
# clients already have create permissions; the nxclient wants to also have unlink rights
allow userdomain xdm_tmp_t:sock_file unlink;
# for a lockfile created by the client process
allow nx_server_t user_tmpfile:file getattr;
')

########################################
#
# SSH component local policy
#

ssh_basic_client_template(nx_server,nx_server_t,nx_server_r)