# DESC NX - NX Server
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
#
# Depends: sshd.te
#

# Type for the nxserver executable, called from ssh
type nx_server_exec_t, file_type, sysadmfile, exec_type;

# type of the nxserver; userdomain is needed so sshd can transition
type nx_server_t, domain, userdomain;

# we need an extra role because nxserver is called from sshd
role nx_server_r types nx_server_t;
allow system_r nx_server_r;
domain_trans(sshd_t, nx_server_exec_t, nx_server_t)

# not really sure if the additional attributes are needed, copied from userdomains
can_create_pty(nx_server, `, userpty_type, user_tty_type')
type_change nx_server_t server_pty:chr_file nx_server_devpts_t;

uses_shlib(nx_server_t)
read_locale(nx_server_t)

tmp_domain(nx_server)
var_run_domain(nx_server)

# nxserver is a shell script --> call other programs
can_exec(nx_server_t, { bin_t shell_exec_t })
allow nx_server_t self:process { fork sigchld };
allow nx_server_t self:fifo_file { getattr ioctl read write };
allow nx_server_t bin_t:dir { getattr read search };
allow nx_server_t bin_t:lnk_file read;

r_dir_file(nx_server_t, proc_t)
allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };

# we do not actually need this attribute or the types defined here, 
# but otherwise we cannot call the ssh_domain-macro
attribute nx_server_file_type;
type nx_server_home_dir_t alias nx_server_home_t;
type nx_server_xauth_home_t;
type nx_server_tty_device_t;
type nx_server_gph_t;
type nx_server_fonts_cache_t;
type nx_server_fonts_t;
type nx_server_fonts_config_t;
type nx_server_gnome_settings_t;

ssh_domain(nx_server)

can_network_client(nx_server_t)
allow nx_server_t port_type:tcp_socket name_connect;

allow nx_server_t devtty_t:chr_file { read write };
allow nx_server_t sysctl_kernel_t:dir search;
allow nx_server_t sysctl_kernel_t:file { getattr read };
allow nx_server_t urandom_device_t:chr_file read;
# for reading the config files; maybe a separate type, 
# but users need to be able to also read the config
allow nx_server_t usr_t:file { getattr read };

dontaudit nx_server_t selinux_config_t:dir search;

# clients already have create permissions; the nxclient wants to also have unlink rights
allow userdomain xdm_tmp_t:sock_file unlink;
# for a lockfile created by the client process
allow nx_server_t user_tmpfile:file getattr;