98 lines
2.9 KiB
Plaintext
98 lines
2.9 KiB
Plaintext
policy_module(nx, 1.5.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type nx_server_t;
|
|
type nx_server_exec_t;
|
|
domain_type(nx_server_t)
|
|
domain_entry_file(nx_server_t, nx_server_exec_t)
|
|
domain_user_exemption_target(nx_server_t)
|
|
# we need an extra role because nxserver is called from sshd
|
|
# cjp: do we really need this?
|
|
role nx_server_r types nx_server_t;
|
|
allow system_r nx_server_r;
|
|
|
|
type nx_server_devpts_t;
|
|
term_user_pty(nx_server_t, nx_server_devpts_t)
|
|
|
|
type nx_server_tmp_t;
|
|
files_tmp_file(nx_server_tmp_t)
|
|
|
|
type nx_server_var_lib_t;
|
|
files_type(nx_server_var_lib_t)
|
|
|
|
type nx_server_var_run_t;
|
|
files_pid_file(nx_server_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# NX server local policy
|
|
#
|
|
|
|
allow nx_server_t self:fifo_file rw_fifo_file_perms;
|
|
allow nx_server_t self:tcp_socket create_socket_perms;
|
|
allow nx_server_t self:udp_socket create_socket_perms;
|
|
|
|
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
term_create_pty(nx_server_t, nx_server_devpts_t)
|
|
|
|
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
|
|
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
|
|
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
|
|
manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
|
|
files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
|
|
|
|
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
|
|
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
|
|
|
|
kernel_read_system_state(nx_server_t)
|
|
kernel_read_kernel_sysctls(nx_server_t)
|
|
|
|
# nxserver is a shell script --> call other programs
|
|
corecmd_exec_shell(nx_server_t)
|
|
corecmd_exec_bin(nx_server_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(nx_server_t)
|
|
corenet_all_recvfrom_netlabel(nx_server_t)
|
|
corenet_tcp_sendrecv_generic_if(nx_server_t)
|
|
corenet_udp_sendrecv_generic_if(nx_server_t)
|
|
corenet_tcp_sendrecv_generic_node(nx_server_t)
|
|
corenet_udp_sendrecv_generic_node(nx_server_t)
|
|
corenet_tcp_sendrecv_all_ports(nx_server_t)
|
|
corenet_udp_sendrecv_all_ports(nx_server_t)
|
|
corenet_tcp_connect_all_ports(nx_server_t)
|
|
corenet_sendrecv_all_client_packets(nx_server_t)
|
|
|
|
dev_read_urand(nx_server_t)
|
|
|
|
files_read_etc_files(nx_server_t)
|
|
files_read_etc_runtime_files(nx_server_t)
|
|
# for reading the config files; maybe a separate type,
|
|
# but users need to be able to also read the config
|
|
files_read_usr_files(nx_server_t)
|
|
|
|
miscfiles_read_localization(nx_server_t)
|
|
|
|
seutil_dontaudit_search_config(nx_server_t)
|
|
|
|
sysnet_read_config(nx_server_t)
|
|
|
|
ifdef(`TODO',`
|
|
# clients already have create permissions; the nxclient wants to also have unlink rights
|
|
allow userdomain xdm_tmp_t:sock_file unlink;
|
|
# for a lockfile created by the client process
|
|
allow nx_server_t user_tmpfile:file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# SSH component local policy
|
|
#
|
|
|
|
ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
|