selinux-policy/policy/modules/services/nx.te
Dominick Grift 18f2a72d7f Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.
2010-09-23 14:59:23 +02:00

104 lines
3.2 KiB
Plaintext

policy_module(nx, 1.5.0)
########################################
#
# Declarations
#
type nx_server_t;
type nx_server_exec_t;
domain_type(nx_server_t)
domain_entry_file(nx_server_t, nx_server_exec_t)
domain_user_exemption_target(nx_server_t)
# we need an extra role because nxserver is called from sshd
# cjp: do we really need this?
role nx_server_r types nx_server_t;
allow system_r nx_server_r;
type nx_server_devpts_t;
term_user_pty(nx_server_t, nx_server_devpts_t)
type nx_server_tmp_t;
files_tmp_file(nx_server_tmp_t)
type nx_server_var_lib_t;
files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
type nx_server_home_ssh_t;
files_type(nx_server_home_ssh_t)
########################################
#
# NX server local policy
#
allow nx_server_t self:fifo_file rw_fifo_file_perms;
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(nx_server_t, nx_server_devpts_t)
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
# nxserver is a shell script --> call other programs
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
corenet_all_recvfrom_unlabeled(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_generic_node(nx_server_t)
corenet_udp_sendrecv_generic_node(nx_server_t)
corenet_tcp_sendrecv_all_ports(nx_server_t)
corenet_udp_sendrecv_all_ports(nx_server_t)
corenet_tcp_connect_all_ports(nx_server_t)
corenet_sendrecv_all_client_packets(nx_server_t)
dev_read_urand(nx_server_t)
files_read_etc_files(nx_server_t)
files_read_etc_runtime_files(nx_server_t)
# for reading the config files; maybe a separate type,
# but users need to be able to also read the config
files_read_usr_files(nx_server_t)
miscfiles_read_localization(nx_server_t)
seutil_dontaudit_search_config(nx_server_t)
sysnet_read_config(nx_server_t)
ifdef(`TODO',`
# clients already have create permissions; the nxclient wants to also have unlink rights
allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
# for a lockfile created by the client process
allow nx_server_t user_tmpfile:file getattr_file_perms;
')
########################################
#
# SSH component local policy
#
ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)