71 lines
2.3 KiB
Plaintext
71 lines
2.3 KiB
Plaintext
# DESC NX - NX Server
|
|
#
|
|
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
|
#
|
|
# Depends: sshd.te
|
|
#
|
|
|
|
# Type for the nxserver executable, called from ssh
|
|
type nx_server_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
# type of the nxserver; userdomain is needed so sshd can transition
|
|
type nx_server_t, domain, userdomain;
|
|
|
|
# we need an extra role because nxserver is called from sshd
|
|
role nx_server_r types nx_server_t;
|
|
allow system_r nx_server_r;
|
|
domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
|
|
|
|
# not really sure if the additional attributes are needed, copied from userdomains
|
|
can_create_pty(nx_server, `, userpty_type, user_tty_type')
|
|
type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
|
|
|
|
uses_shlib(nx_server_t)
|
|
read_locale(nx_server_t)
|
|
|
|
tmp_domain(nx_server)
|
|
var_run_domain(nx_server)
|
|
|
|
# nxserver is a shell script --> call other programs
|
|
can_exec(nx_server_t, { bin_t shell_exec_t })
|
|
allow nx_server_t self:process { fork sigchld };
|
|
allow nx_server_t self:fifo_file { getattr ioctl read write };
|
|
allow nx_server_t bin_t:dir { getattr read search };
|
|
allow nx_server_t bin_t:lnk_file read;
|
|
|
|
r_dir_file(nx_server_t, proc_t)
|
|
allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
|
|
|
|
# we do not actually need this attribute or the types defined here,
|
|
# but otherwise we cannot call the ssh_domain-macro
|
|
attribute nx_server_file_type;
|
|
type nx_server_home_dir_t alias nx_server_home_t;
|
|
type nx_server_xauth_home_t;
|
|
type nx_server_tty_device_t;
|
|
type nx_server_gph_t;
|
|
type nx_server_fonts_cache_t;
|
|
type nx_server_fonts_t;
|
|
type nx_server_fonts_config_t;
|
|
type nx_server_gnome_settings_t;
|
|
|
|
ssh_domain(nx_server)
|
|
|
|
can_network_client(nx_server_t)
|
|
allow nx_server_t port_type:tcp_socket name_connect;
|
|
|
|
allow nx_server_t devtty_t:chr_file { read write };
|
|
allow nx_server_t sysctl_kernel_t:dir search;
|
|
allow nx_server_t sysctl_kernel_t:file { getattr read };
|
|
allow nx_server_t urandom_device_t:chr_file read;
|
|
# for reading the config files; maybe a separate type,
|
|
# but users need to be able to also read the config
|
|
allow nx_server_t usr_t:file { getattr read };
|
|
|
|
dontaudit nx_server_t selinux_config_t:dir search;
|
|
|
|
# clients already have create permissions; the nxclient wants to also have unlink rights
|
|
allow userdomain xdm_tmp_t:sock_file unlink;
|
|
# for a lockfile created by the client process
|
|
allow nx_server_t user_tmpfile:file getattr;
|
|
|